Security Alert: FBI asks all router owners to reboot now to neuter Russia’s VPNFilter malware

May 29th, 2018

Security Alert: FBI asks all router owners to reboot now to neuter Russia's VPNFilter malware

The FBI is urging small businesses and households to immediately their home and small business reboot routers following Cisco's report that more than 500,000 infected devices could be damaged beyond repair.  The malware, dubbed VPNFilter, was developed by the Russian state-sponsored hacking group Sofacy, also known as Fancy Bear and APT28, according to the FBI, which last week obtained a warrant to seize a domain used to control the infected routers.

Cisco's Talos Intelligence researchers revealed last week that 500,000 routers made by Linksys, MikroTik, Netgear, and TP-Link had been infected with VPNFilter.

The malware is capable of collecting traffic sent through infected routers, such as website credentials.

However, the most worrying capability is that malware allows its controllers to wipe a portion of an infected device's firmware, rendering it useless. The attackers can selectively destroy a single device or wipe all infected devices at once.

Cisco released the report on Wednesday after observing a spike this month in infections in the Ukraine, which accused Russia of planning an attack to coincide with Saturday's Champions Cup final in Kiev.

Users with infected routers can remove the dangerous Stage 2 and Stage 3 components of VPNFilter by rebooting the device. However, Stage 1 of VPNFilter will persist after a reboot, potentially allowing the attackers to reinfect the compromised routers.

The web address the FBI seized on Wednesday, ToKnowAll[.]com, could have been used to reinstall Stage 2 and Stage 3 malware, but all traffic to this address is now being directed to a server under the FBI's control.

The FBI nonetheless is urging all small office and home router owners to reboot devices even if they were not made by one of the affected vendors. This will help neuter the threat and help the FBI identify infected devices.

"The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices," the FBI said in a public-service announcement.

"Owners are advised to consider disabling remote-management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware."

The Justice Department said the FBI-controlled server to which infected devices are now communicating with will collect the IP addresses of each device.

The addresses are being shared with the non-profit cyber security group, The Shadowserver Foundation, which will disseminate the addresses to foreign CERTs and ISPs. The FBI and US DHS CERT has also notified some ISPs.

It's not known how the attackers initially infected the routers, but Symantec noted in its report on VPNFilter that many of them have known vulnerabilities.

"Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat," wrote Symantec researchers.

Known infected devices include:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • MikroTik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

How You Can Protect Yourself and Your Organization

Reboot to Help Out the FBI. Rebooting your router will help the FBI identify the hackers responsible.

Reset Your Router to Factory Defaults. There’s no easy way to check if your router is already infected, but if your model is included in the list above, you shouldn’t take any risks. The easiest (and only) way to fully remove VPNFilter is to do a factory reset. Typically, that involves pressing down the power button for 5-10 seconds, but you may want to double check based for your specific router model.

Change the Admin Password. It's possible that hackers already have your router's admin password, so you'll want to change it, but only after you reboot the router.

Update the Firmware on Your Router – Reach out to the manufacturer of your router and look for updated firmware.  Even if your router isn't on the list of affected routers, it's probably a good idea to update the firmware.

Contact Your IT Service Provider – Fortunately, most business-class routers and network equipment aren't affected, but you can always contact Fulcrum Group to find out more details.