Cisco cyber intelligence unit Talos has found that the actor behind the global VPNFilter malware campaign also targeted Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE devices.
On 23 May, Talos warned that hackers had infected at least 500,000 networking devices in 54 countries. At the time, the known affected vendors were Linksys, MikroTik, Netgear and TP-Link.
Small and home office (SOHO) and QNAP network-attached storage (NAS) devices were the targeted devices.
Now Talos believes the actor, which it claims is likely state-sponsored or state-affiliated, has also targeted the devices of six additional vendors, including Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
"The list of makes and models at risk is getting longer. We'd urge users to check to see if their device is being targeted by this bad actor, and take the recommended steps to protect themselves," Cisco Talos outreach leader Craig Williams said.
Since its preliminary findings, Talos has now found there is a way for the attacker to inject malicious content into web traffic as it passes through network device without the user's knowledge.
This is done through a new stage 3 module that allows the actor to deliver exploits to endpoints via a man-in-the-middle capability. In other words, the hacker intercept network traffic and inject malicious code into it without the user's knowledge.
Talos has also discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable.
According to Talos, this makes it clear that the VPNFilter threat was meant to leverage the victim's devices in a much bigger way.
"The technical sophistication of this attack is like nothing we've ever seen before. The bad guys continue to innovate and iterate using a modular approach. Our research into this show they can deliver threats to the endpoint and network. Once you can inject code you can quite literally do anything- steal passwords, install software…" Cisco Talos vice president Matt Watchinski said.
Cisco Talos said in a statement that the VPNFilter attack is more significant than originally thought but reaffirms that the attack did not compromise enterprise-grade routers, including all Cisco routers and switches.