FBI: Reboot your home and small office routers to counter Russian malware

If you have a home or small office router, the FBI suggests you immediately reboot it to counter Russian-linked malware VPNFilter.

It doesn’t take long to simply turn your router off and then back on, and the payoff is worth it, considering it’s within your power to counter Fancy Bear-linked malware that is capable of everything from stealing information to rendering the router inoperable.

The malware, which has so far infected at least 500,000 small office and home office routers in 54 countries, has been dubbed VPNFilter. It’s linked to the Sofacy Group, aka Fancy Bear and APT 28, a sophisticated cyber-espionage hacking group backed by the Russian military intelligence agency.

VPNFilter, according to a trio of three-letter agencies — the FBI, DHS, DoJ — has infected not only hundreds of thousands of SOHO routers, but also other network-attached storage (NAS) devices.

On Wednesday, May 23, Cisco Talos warned that the estimated number of infected devices was “at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.”

Talos security researchers added, “The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.”

Although Talos claimed Cisco devices have not been observed to be vulnerable, the FBI recommended rebooting all SOHO routers. The bureau called the size and scope of the VPNFilter infrastructure “significant,” yet the initial infection vector is “unknown.”

The FBI advised:

The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

Additionally, the FBI suggested “disabling remote management settings on devices and secure with strong passwords and encryption when enabled.”

Homeland Security’s ICS-CERT issued an alert that stated:

DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware.

Network device management interfaces — such as Telnet, SSH, Winbox, and HTTP — should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities.

Identifying infected devices

Rebooting routers will basically kill off VPNFilter stages 2 and 3, but stage 1 will remain after the reboot wipes the other stages. In other words, even after clearing the router by rebooting it, it is “difficult to prevent reinfection” of devices infected with the first stage of VPNFilter.

That’s where the Department of Justice announcement comes into play. The FBI seized the domain toknowall.com, which is considered to be a critical part of Fancy Bear’s VPNFilter command-and-control infrastructure, “in order to identify infected devices and facilitate their remediation.”

The Justice Department explained:

This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs). 

WritIng on the Daily Beast, Kevin Poulsen first reported the tie between VPNFilter and the Russian hacking group Fancy Bear. Vikram Thakur, technical director at Symantec, told Poulsen that the FBI will not be able to access a victim’s browser history or other content.

Devices vulnerable to VPNFilter

Symantec published a list of devices that are definitely vulnerable to VPNFilter:  

• Linksys E1200
• Linksys E2500
• Linksys WRVS4400N
• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
• Netgear DGN2200
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN

As noted previously, the trio of government agencies are not limiting potentially vulnerable devices to any list. So, reboot routers, disable remote management, make sure firmware is updated, and change default passwords.