The US Federal Bureau of Investigation (FBI) has issued an urgent advisory requesting people to reboot their routers to thwart a Russia-linked malware infection that has already compromised half a million devices. Last week, Cisco's Talos threat intelligence team first revealed the existence of the sophisticated malware named VPNFilter that infected over 500,000 devices across at least 54 countries. Devices made by Linksys, MikroTik, NETGEAR, TP-Link and QNAP network-attached storage devices were just some of the affected machines.
The malware itself is capable of collecting information, blocking network traffic or disabling the infected device completely and rendering it unusable. The latter destructive capability can be triggered on individual infected machines or en masse to cut off internet access for hundreds of thousands of victims.
VPNFilter is believed to be the creation of Russian hacking group Sofacy, also known as Fancy Bear, APT28 and Pawn Storm. The group has been previously linked to several cyberattacks including the NotPetya ransomware outbreak, the BlackEnergy attacks targeting Ukraine's power grid and the Democratic National Committee breach during the 2016 US presidential election. According to Talos' analysis, significant similarities were observed between VPNFilter's code and versions of the BlackEnergy malware.
Last week, the FBI seized an internet domain "toknowall.com" believed to be linked to Sofacy's VPNFilter botnet as critical part of the malware's command-and-control infrastructure. The FBI is now asking affected router users across the globe to reset their equipment.
In a public service announcement published Friday, the FBI has recommended owners of small office and home office routers to immediately reboot their devices to "temporarily disrupt the malware and aid the potential identification of infected devices." Users are also advised to change their router's login credentials, monitor Internet traffic, disable remote management settings and update the router to the latest available version of firmware.
The US Department of Justice further noted that rebooting affected or vulnerable devices will "temporarily eliminate the second stage malware and cause the first stage malware on their device to call out for instructions. Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure."
It is still unclear how the devices are initially infected. However, researchers suspect known vulnerabilities and default passwords that have yet to be patched or changed by users were likely to blame. Symantec has published a list of affected routers and network-attached storage devices:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Users can also perform a factory reset to permanently remote all traces of the malware, including stage 1. This can usually be done by pressing and holding a small reset switch on the back of the device for five seconds. However, this reset will remove any configuration settings or credentials stored on the device that will need to be restored by the user.
"VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend," Talos researchers noted. "The destructive capability particularly concerns us. This shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware.
"If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes."