Feature Story

Cisco Talos discovers threat from VPNFilter attack broader than originally thought

by Liza Meak

VPNFilter targeting more vendors and devices with the ability to inject malicious into web traffic as it passes through network devices.

VPNFilter targeting more vendors and devices with the ability to inject malicious into web traffic as it passes through network devices.

Two weeks after Cisco Talos first published findings on a campaign dubbed "VPNFilter," the threat research group, along with threat intelligence partners and law enforcement,  has determined additional small business, home office devices may now be at risk.  Cisco Talos believes the actor, likely state-sponsored or state-affiliated, has also targeted six additional vendors including ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.  

"The list of makes and models at risk is getting longer. We'd urge users to check to see if their device is being targeted by this bad actor, and take the recommended steps to protect themselves," said Craig Williams, outreach leader at Cisco Talos"

Read the most recent Talos blog for the specific vendors and devices affected

After the initial report, there was a global response with intelligence partners, providing important insight and new details as this attack continues to evolve. In the original report, Talos discovered a broad campaign that delivered VPNFilter to small business and home-office network devices, as well as network-attached storage devices.

In the two weeks since sharing the findings on VPNFilter, Cisco Talos has now found there's a way for the attacker to inject malicious content into web traffic as it passes through network device without the user's knowledge. This makes it clear that the VPNFilter threat was meant to leverage the victim's devices in a much bigger way. "The technical sophistication of this attack is like nothing we've ever seen before. The bad guys continue to innovate and interate using a modular approach. Our research into this shows they can deliver threats to the endpoint and network. Once you can inject code you can quite literally do anything- steal passwords, install software…"  said Matt Watchinski, VP Cisco Talos

Even though the risk from VPNFilter attack is more significant than originally thought, Cisco Talos research supports the original findings that infected devices are not large enterprise-grade routers. In addition, Cisco routers and switches, as well as other enterprise products, have not been affected.

Right now, it appears the number of infected devices remains at 500-thousand. The advice remains the same as when this attack was first discovered. If you own any of the devices at risk, unplug it from the network, restore it to the original factory settings, and immediately update security patches.

Cisco Talos continues to investigate VPNFilter and will give updates as the threat continues to evolve.


We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.