Published on June 8th, 2018📅| 0
VPNFilter malware performs an active man-in-the-middle attack with capable downgrade HTTPS
After further analysis, the Cisco security researchers found that the malicious program VPNFilter was more powerful and destructive than earlier thought. Hackers working for the Russian government used VPNFilter to infect 500,000 routers worldwide. The infected router brands include Linksys, MikroTik, Netgear, and TP-Link.
Now researchers report that the routers of Asus, Huawei, ZTE, and D-Link are also infected. Cisco researchers discovered a man-in-the-middle attack module, ssler, from the VPNFilter that allows attackers to inject malicious traffic into the traffic passing through the compromised router. It can even quietly modify what the site sends. Ssler is also designed to steal sensitive data such as passwords. Such data is usually an encrypted transmission and the ssler will attempt to downgrade an HTTPS connection to a clear text HTTP connection.
Ssler also adjusted traffic for Google, Facebook, Twitter, and Youtube specifically because these sites provide additional security features, such as Google automatically redirecting HTTP traffic to HTTPS. Ssler also removes the data compression provided by gzip because plaintext traffic is easier to modify.
The full list of targeted devices is:
RB Groove (new)
RB Omnitik (new)
Other QNAP NAS devices running QTS software
PBE M5 (new)
Unknown Models* (new)
ZXHN H108N (new)
FBI Remind User to Restart Router to Remove VPNFILTER malware.