FBI Suggests Rebooting Routers to Weaken a Global Malware Attack
The FBI has recommended that everyone reboot their internet routers in a bid to weaken a malware that’s spreading globally and targeting home and small office routers in large numbers. The malware, which is called VPN filter, first infects routers and then helps hackers gain control over internet-connected devices. There reportedly are Russian connections to the malware as well.
In a report dated May 30, The Washington Post says- “The Federal Bureau of Investigation is asking everyone with a home router to do one small thing: Turn your router off and then back on again. The agency issued a warning on Friday asking home Internet users and small business owners to reboot their routers to ward off a pernicious piece of malware called VPN Filter. The malware infects routers during the first stage of an attack that eventually gives hackers great control over the devices connected to the Internet. The malware has been linked to a group believed to be connected to the Russian military.”
The Cisco Talos Intelligence Group, which has been researching the malware, recently published details about the malware in a blog post, which says that the researchers have “…observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. ”
The research is still on; the blog further says- “Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well as QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. ”
The Cisco Talos researchers have found that the malware allows hackers to steal website credentials and also do the monitoring of Modbus SCADA protocols. The malware can also render an infected device unusable and can also lead to cutting off internet access for thousands of people worldwide.
An alert that has been issued by the FBI says- “The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”
FBI has also come up with a press release on how the malware works and what all needs to be done. The release says- “This VPNFilter malware comes in three stages, and it’s important to understand the difference. The first stage has a persistent presence – meaning that it simply sits there and waits for the command and control server to download new modules…Once the malware downloads the second stage, it can start exploiting the device and doing harm. There are also stage three modules that can make the malware both harder to track and better at stealing critical information”.
The FBI recommends that it’s best for home users as well as businesses to reboot their routers and networked devices. The release points out that this would “…disrupt stages 2 and 3. It is important to note that stage 1 will remain on the device and may call out again to the command and control server to re-load stage 2. By re-booting, though, you are creating a break that will allow the FBI, Internet service providers, and other partner agencies to try to identify and remediate the damage done by this malware.”
The FBI wants users to disable remote management settings on devices and create new, strong passwords on the devices. Users are asked not to use default user IDs and passwords as they could prove to be open doors for hackers to make their entry. Users have also been asked to enable encryption when possible and also upgrade the device with the latest available version of firmware.