VPNFilter malware performs an active man-in-the-middle attack with capable downgrade HTTPS

VPNFilter malware

After further analysis, the Cisco security researchers found that the malicious program VPNFilter was more powerful and destructive than earlier thought. Hackers working for the Russian government used VPNFilter to infect 500,000 routers worldwide. The infected router brands include Linksys, MikroTik, Netgear, and TP-Link.

Now researchers report that the routers of Asus, Huawei, ZTE, and D-Link are also infected. Cisco researchers discovered a man-in-the-middle attack module, ssler, from the VPNFilter that allows attackers to inject malicious traffic into the traffic passing through the compromised router. It can even quietly modify what the site sends. Ssler is also designed to steal sensitive data such as passwords. Such data is usually an encrypted transmission and the ssler will attempt to downgrade an HTTPS connection to a clear text HTTP connection.

Ssler also adjusted traffic for Google, Facebook, Twitter, and Youtube specifically because these sites provide additional security features, such as Google automatically redirecting HTTP traffic to HTTPS. Ssler also removes the data compression provided by gzip because plaintext traffic is easier to modify.

The full list of targeted devices is:

ASUS DEVICES:

RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-LINK DEVICES:

DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

HUAWEI DEVICES:

HG8245 (new)

LINKSYS DEVICES:

E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

MIKROTIK DEVICES:

CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

NETGEAR DEVICES:

DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP DEVICES:

TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-LINK DEVICES:

R600VPN
TL-WR741ND (new)
TL-WR841N (new)

UBIQUITI DEVICES:

NSM2 (new)
PBE M5 (new)

UPVEL DEVICES:

Unknown Models* (new)

ZTE DEVICES:

ZXHN H108N (new)

FBI Remind User to Restart Router to Remove VPNFILTER malware.