Link to TALOS Intelligence blog
Well folks, I know that we touched on the vulnerability of consumer-grade network gear in another thread and there were a number of attempts made to downplay the severity of the bugs and by extension the vulnerability to exploits and security flaws found in a lot of this gear. The primary argument being that hacker folk don't target home users, which I indicated at the time, was incorrect. Identity theft is big business.
The linked blog has, at the end, a list of known affected devices as well as the note that this list is in no way complete. Other devices from the same manufacturers are almost assuredly vulnerable as well as are potentially any consumer router based on Busybox and Linux.
Cliff notes version of what transpires to follow the following statement from the article:
At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices. However, all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.
There are at least 1/2 a million affected in 54 different countries and this list is growing.
The Stage 1 infection, which they do not know how it is infecting the devices yet, primarily serves as a gateway for the 2nd and potentially 3rd stage infections. The Stage 1 infection, once in place, is not removed via a power cycle or other traditionally effective mitigation technique.
The Stage 2 payload contains the bulk of the functionality and is modular in nature. It can brick your device by overwriting the NVRAM, which is one of the main concerns, as a widespread bricking could take place, but due to its ability to support plugins it can:
- Monitor and intercept traffic, potentially sniffing sensitive information
- Perform traffic redirects via DNS manipulation
- Infect other devices inside your network allowing them to reach out and provide even more information
- Turn your router into a proxy, VPN endpoint or other traffic obfuscation device for a malicious actor
- Aide in infecting a computer or computers inside your network to be used for mining
And of course other things. The list is extensive.