Late last month, the FBI urged consumers to reboot their internet routers to mitigate the risk of being exposed to a malware attack with ties to foreign cyber actors.
Called VPNFilter, the malware is "able to render small office and home office routers inoperable," the FBI stated. "The malware can potentially also collect information passing through the router."
It was first reported to have infected more than 500,000 consumer Wi-Fi devices. Now, Cisco Talos security researchers are saying that the malware is targeting more makes and models of devices than initially thought.
The new targets include ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. Up to 200,000 additional routers around the world are at risk of being infected; however, Cisco noted that its research showed none of its own network devices are affected.
The new research reveals that the malware can perform “man-in-the-middle” attacks, meaning it can be used for injecting malicious content into traffic that passes through an infected network device.
“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Cisco Talos’ Craig Williams told Ars Technica. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device.”
“They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”
Cisco Talos’s complete description of VPNFilter and its new capabilities can be viewed here.
Rebooting a potentially infected router, as the FBI previously recommended, may have been enough to temporarily disrupt VPNFilter. However, Williams says that a reboot alone isn’t enough to fully remove the malware from infected devices.
"I'm concerned that the FBI gave people a false sense of security," Williams said. "VPNFilter is still operational. It infects even more devices than we initially thought, and its capabilities are far in excess of what we initially thought. People need to get it off their network."
In light of the new research, consumers with routers should perform a factory reset followed by a software update that could remove the device’s vulnerabilities to Stage 1 infection. Changing default passwords is also advised, as is disabling remote administration.