The US Federal Bureau of Investigation (FBI) has issued a warning today urging router users to restart their devices. Friday's warning comes after Cisco's Talos security team disclosed malware earlier this week that has been used to infect hundreds of thousands of routers allegedly by Russia. The Kremlin has denied having any part in this campaign.
Cisco revealed this week that the malware known as VPNFilter has infected over half a million devices by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. The potent malware allows attackers to launch attacks on others, permanently brick devices, and possibly spy on communications. Other reports also suggested that the notorious Russian hacking group known as Fancy Bear, APT28, and Sofacy was behind this malware.
FBI seized the domain cutting off malicious communications
After Cisco's report, the FBI seized the command and control servers that the criminals had to use to send instructions to their botnet of routers. It was believed that the target was Ukraine with the country's Secret Service expecting the attack to happen on Saturday when Kiev is hosting the UEFA Champions League soccer final.
Since the devices were being infected all over the world, the FBI obtained court orders to take control of toknowall.com, used to deliver later stages of the malware to devices that were already infected.
While this takeover cut off communications, the routers still remain infected. Today's warning issued by the FBI is aimed at cleaning up those routers from the damning malware.
Factory reset would help you get rid of VPNFilter
In a public service announcement, the law enforcement agency has urged everyone to restart their routers. "The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices," the agency wrote.
Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.
The agency said that the initial infection vector for this malware is still unknown. It is unclear how exactly these routers were infected but it's highly likely that known vulnerabilities and default passwords were exploited. The agency has advised everyone to restart their routers to "temporarily disrupt the malware and aid the potential identification of infected devices."
The US Department of Homeland Security also issued a statement advising "all SOHO router owners" to reboot. So far 14 models are known to be infected by VPNFilter. However, considering so many things are still unknown, the FBI and security experts are urging everyone to reboot their routers. Those 14 models that are known to be infected, include:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- QNAP NAS devices running QTS software
- TP-Link R600VPN
Users are encouraged to reboot and then change their default passwords. While rebooting doesn't "kill" VPNFilter, it renders later stages of this malware useless. The agency has also advised users to consider disabling remote management settings and use stronger passwords. Cisco in its earlier advisory had recommended users to perform a factory reset (use a paper clip to hold down the button on the back of the device) that will restore all settings and remove VPNFilter. Password change is, again, one highly important step.
