Bottom line: Remember VPNFilter, the multi-stage router malware that was discovered last month? Cisco researchers said it had infected over 50,000 devices in more than 50 countries, leading to the FBI recommending all users reboot their routers. As bad as that sounds, it seems VPNFilter is even worse than people thought.
We already knew that the malware, which is said to originate in Russia, can collect data, infect other devices, steal credentials, and even destroy a device by overwriting a critical portion of its firmware. Cisco Talos has now discovered a new stage 3 module that can bypass SSL encryption by intercepting outgoing web requests and turning them into non-encrypted HTTP, helping it to steal sensitive data.
Additionally, the new module can use man-in-the-middle attacks to inject malicious content into web traffic. Another newly discovered feature is the malware’s ability to infect other devices, including PCs on the same local network.
It appears that more routers are affected than previously thought, too. A handful of devices from Linksys, MikroTik, Netgear, QNAP, and TP-Link were originally said to be the only ones vulnerable, but it seems more models from these brands, along with routers from Asus, D-Link, Huawei, Ubiquiti, Upvel and ZTE, are also at risk. You can see the full list at the bottom of this page.
While VPNFilter is mostly targeting routers in Ukraine, suggesting a political motivation, it's strongly recommended that all owners of the affected routers update their firmware or perform a factory reset.