Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Tells Router Users To Reboot Now To Kill Malware Infecting 500,000 Devices (arstechnica.com)

Posted by BeauHD on from the last-piece-of-the-puzzle dept.

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices. Ars Technica reports: Researchers from Cisco's Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.

The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI's advice to reboot small office and home office routers and NAS devices capitalizes on this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, not just those known to be vulnerable to VPNFilter, protect themselves. The Justice Department and U.S. Department of Homeland Security have also issued statements advising users to reboot their routers as soon as possible.

84 comments

  1. reboot... and reflash with something like cur lede by mtaht · · Score: 4, Interesting

    If only a reboot solved all problems! Can't they also suggest reflashing with something immune to this malware like any of the third party router firmwares? On my bad days, watching over the cyberwarfare, and now that the domain has been seized, I can imagine the FBI P0wning your router, rather than the original authors - because now they have the capability to do so. Reboot and reflash., damn it.

  2. Fools by Anonymous Coward · · Score: 0, Flamebait

    The FBI have taken over the control center, they're going to update the malware to do their bidding by spying on you and attacking other targets. Never reboot your router ever again!

    1. Re:Fools by AHuxley · · Score: 2

      +1 AC. That will be all kept going for months as part of ongoing "investigations".
      To see who logs in and attempts to alter the command and control software side.
      Until then the feds will keep looking at the results in real time.

      --
      Domestic spying is now "Benign Information Gathering"
  3. Re: reboot... and reflash with something like cur by rommy4706 · · Score: 1

    It's great to be capable huh?

  4. Re:reboot... and reflash with something like cur l by CaptainDork · · Score: 1

    Reboot and reflash ...

    I tested this statement on several of my followers who have questioned me regarding this matter.

    You know what the reaction was.

    --
    It little behooves the best of us to comment on the rest of us.
  5. Re:reboot... and reflash with something like cur l by Anonymous Coward · · Score: 0

    Reboot and reflash ...

    I tested this statement on several of my followers who have questioned me regarding this matter.

    You know what the reaction was.

    Thanks for the warning, but I fail to see what sending my nudes to Facebook again will do to prevent router problems.

  6. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    Yeah right if the idiots with vulnerable routers could get the needed firmware on the router without doing the same backdoor shit the hackers did it would of been done...

  7. Nice. by bobstreo · · Score: 2

    Now, if they actually listed which router/NAS models and firmware versions were problematic. Or how to diagnose if you were impacted...

    If you have remote management turned on for your router or NAS, you should always expect special surprises.

    1. Re:Nice. by Nutria · · Score: 2

      Mikrotik patched this vulnerability (which is only a problem when remote management is enabled) 14 months ago.

      Also, they continuously update their firmware, and that firmware is trivially easy to update.

      --
      "I don't know, therefore Aliens" Wafflebox1
    2. Re:Nice. by Anonymous Coward · · Score: 0

      probably all of them, since most likely they all outsource their software to the same place in india. all built on the same code base with a custom admin gui

    3. Re:Nice. by Anonymous Coward · · Score: 5, Informative

      I was thinking the same thing, so I went digging in the old (you know, that musty two-day old) slashdot thread. It wasn't straightforward to find it in there but there was a good comment with it. https://blog.talosintelligence.com/2018/05/VPNFilter.html. You can CTRL + F to "Known Affected Devices" and it has them listed. The original comment for aficionados.

    4. Re:Nice. by bobstreo · · Score: 1

      I was thinking the same thing, so I went digging in the old (you know, that musty two-day old) slashdot thread. It wasn't straightforward to find it in there but there was a good comment with it. https://blog.talosintelligence.com/2018/05/VPNFilter.html. You can CTRL + F to "Known Affected Devices" and it has them listed. The original comment for aficionados.

      Thanks for that. Doing the work OP didn't bother to in the article

    5. Re: Nice. by mapkinase · · Score: 1

      They are saying with high confidence that the list is incomplete

      --
      I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
    6. Re:Nice. by Ol+Olsoc · · Score: 1

      Thanks for that. Doing the work OP didn't bother to in the article

      I know this is Slashdot, and the style is to post based on the headline, but are y'all inconvenienced by making clicky clicky on the link?

      What is posted here is a summary, just like it is supposed to summarize. The routers affected are listed in the link that the summary references.

      Y'all can't be afraid to do the work you're supposed to do.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    7. Re:Nice. by biswasrivu · · Score: 1

      Nice one indeed. ACMarket AdAway Test Dpc

  8. Meh. by fluffernutter · · Score: 1

    Meh, I've rebooted. what's the harm?

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:Meh. by Darinbob · · Score: 2

      The default firmware probably reboots itself every week anyway.

  9. my router is not on that list, but by FudRucker · · Score: 1

    it gets rebooted often because of frequent power outages caused by squirrels committing suicide on the power transformer out on the power pole or by the frequent thunderstorms blowing through the area this time of year, so my router has been rebooted about 3 or 4 times just this month

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:my router is not on that list, but by antdude · · Score: 1

      No UPS?:P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    2. Re:my router is not on that list, but by Anonymous Coward · · Score: 0

      I'm not slick, but have slick's power issues.

      Power outages from downed trees takes hours, and sometimes *days* to resolve. Imagine a 10 km long run of power lines, in the country, with 7 or 8 hours hooked up. Now a storm comes, and knocks down 30 trees onto the lines.

      Some don't down the lines, the steel safety wires help with that, but they do lay against the lines -- grounding things out. Others take down the wires, breaking them -- and even worse, some take down the hydro poles themselves.

      I've had a storm take out power for 8 days here, and storms for just 3 hours. I'd say I lose power for 2-3 day long periods, 4 or 5 times a year. 'A few hours' maybe 10 times a year. And the '8 days' type once a decade.

      And no, burying them isn't an option -- unless you want to pay 1000x as much for power. This isn't the city. The logistics of burying wires through millions of acres of forest, swam, river, stream, you name it -- it's not like laying wire under city concrete. City concrete is already drained, leveled, etc.

    3. Re:my router is not on that list, but by fibonacci8 · · Score: 5, Funny

      No UPS?:P

      Attaching a UPS to the squirrels is tempting, but I fail to see how it solves the original problem.

      --
      Inheritance is the sincerest form of nepotism.
    4. Re:my router is not on that list, but by antdude · · Score: 1

      LOL! I meant to your electronics.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    5. Re: my router is not on that list, but by jabuzz · · Score: 1

      If its thqt rural then use a mole plough. Its not 1000 times more expensive, and much better tha long outages.

    6. Re:my router is not on that list, but by Ol+Olsoc · · Score: 1

      Those squirrels died for your computer security! Bless 'em all.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    7. Re:my router is not on that list, but by Ol+Olsoc · · Score: 1

      Our UPS driver is a little squirrely.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    8. Re:my router is not on that list, but by McFortner · · Score: 1

      I got two emails today letting me know that it appears that my Arris NVG510 UVerse Residential Gateway is infected. Since the gateway is locked down and I'm at the mercy of AT&T to push firmware updates all I could do is reboot the RG like they said.

      Otherwise, I have two options: Jack and Sh*t, and Jack left town.


      And PLEASE DON'T SUGGEST to change my ISP. My only other choice is Charter and they are no better.

      --
      Beware of Sales Reps bearing gifts.
  10. My router was being weird by Bite+The+Pillow · · Score: 1

    First time ever, my phone keeps disconnecting from the Wi-Fi this evening. So I yanked the plug to the router and modem, it went back to normal.

    Can't say its related but I never saw these symptoms before.

    1. Re: My router was being weird by Anonymous Coward · · Score: 2, Funny

      No, that was me. I finally finished downloading all the porn I needed for the weekend.

      Thanks for not changing your password, cupcake.

    2. Re: My router was being weird by CanadianMacFan · · Score: 2

      Great now everyone knows the password and the bandwidth is going to suck.

    3. Re: My router was being weird by Anonymous Coward · · Score: 0

      Then change it.
      hunter2 is not a particularly good password.

    4. Re: My router was being weird by Anonymous Coward · · Score: 0

      Thats what you get for making your password CowboyNeal...

  11. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    Wat

  12. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    The Russians, capable of installing Donald TRUMP, are obviously capable of anything and will go to no end to keep decent people like Hillary from being elected.

    I find it *sickening*

    Hopefully terminal cancer will soon come to you and prevent you from spewing your bullshit opinions to the rest of the world.

  13. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    So i see some moron modded up another completely useless comment that had nothing to do with the article and offers nothing in the way of factual evidence.

    This is what slashdot has become another middle school. Go post this crap on reddit and help slashdot become like it use to be. My 11 yr daughter shows more maturity.

    -Geekpoet

  14. VPN by jmccue · · Score: 4, Funny

    These days a VPN is pretty much required.

    Now a rant -- Rebooting a router, are you serious ? Give me a break. So now all requests are routed through a FBI server ? I feel much safer now that I rebooted a stupid router. How about forcing a recall

    Posted Anonymously for a reason

    1. Re:VPN by jmccue · · Score: 1

      Damn, the box did not take, on wee, who is stupid now :)

    2. Re: VPN by Anonymous Coward · · Score: 1

      Best post ever. Hahahaha

  15. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    Sure thing, Ivan.

  16. Turn everything off by Anonymous Coward · · Score: 0

    Shut dowwn all vectors for intrusion how about we turn off the internet for say 7 day's? level 3 all the major providers just switch off as a protest over all this government intusion, just stop for 7 day's.

    1. Re: Turn everything off by Bing+Tsher+E · · Score: 1

      All the people who have never learned how to read a road map would be lost in the cities for days.

    2. Re: Turn everything off by Anonymous Coward · · Score: 0

      My mom passed me her phone to navigate with Google Maps when she was driving.

      I was so fucking lost and desperately wanted a Perly's book instead, but she doesn't buy those anymore.

      When the hell did I get older than my mom?! What's happening to me? WHAT IS HAPPENING

    3. Re: Turn everything off by MerlTurkin · · Score: 1

      Ball bearings. It's always ball bearings.

  17. The detailed Cisco break down by waspleg · · Score: 1

    can be found here. It's linked too off of the Ars Technica but for some reason not in the /. one.

  18. The FBI lies, alot by Anonymous Coward · · Score: 0

    Only meddling was by FBI spies trying to rig the elction for Hitlary. Adolf was a leftist too you know, not alt-right or neo-con like the fake news keeps claiming.

  19. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    You know it, Brian.

  20. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    Because the United States never, ever spies on its own citizens. Only Russia would do such a thing.

    Today's captcha is "diapers", maybe that means you should go have yours changed.

  21. Also unknown affected devices by raymorris · · Score: 1

    The listed devices are KNOWN to be affected.
    Others are also affected, but haven't been tested and proven vulnerable. A reboot is probably a good idea for any router - won't hurt anything.

  22. Re:reboot... and reflash with something like cur l by arglebargle_xiv · · Score: 1

    I've been using Draytek gear for years now, its pricey but also pretty decent. Every time I see one of these sky-is-falling router warnings I have to wonder, is the fact that Draytek never feature in them because they're that good, or because no-one bothers checking Drayteks?

  23. Seems Odd by dejitaru · · Score: 2

    User: "Help! My router is infected with vicious malware" Support: "Have you tried turning it off and then on again?"

  24. What a sec... by Anonymous Coward · · Score: 0

    Isn't "rebooting" something you do after you INSTALL something for things to take effect? And, you have a three letter agency telling everyone to do it. Does anyone else see the issue here or all of us just used to W10's methods of updating to realize routers work differently? Don't get me wrong, we've all probably unplugged our router in the past week or two just out of frustration, especially the IT guy at the office. But why the big warning all at once on a Friday? And, on a weekend if the targets are mostly businesses? "We've got some new spy on the public software we want to try but we need everyone to panic and unplug from the Internet to do it effectively and how convenient most people have a handful of providers to pick from for this to actually work" is what it sounds like.

    1. Re:What a sec... by CSMoran · · Score: 1

      Isn't "rebooting" something you do after you INSTALL something for things to take effect?

      Dude, that's some nice post hoc ergo propter hoc you got there.

      --
      Every end has half a stick.
    2. Re:What a sec... by MindPrison · · Score: 1

      >Isn't "rebooting" something you do after you INSTALL something for things to take effect?

      You're right, and if you need a reboot, it's because the device needs to finish the installation of the software, this isn't something that "randomly" made it to your router.

      So you're right to question that action..

      And as someone else in this thread said: Update YOUR FIRMWARE NOW!

      --
      What this world is coming to - is for you and me to decide.
    3. Re:What a sec... by oh_my_080980980 · · Score: 1

      That's a fancy way of saying he's right....moron...

  25. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 1

    I'm not exactly up on all this Russia stuff but this article just screams, "Reboot your routers so our rootkit can finish installing". I doubt it has anything to do with Russia at all.

  26. Update applied, reboot system to apply changes by Excelcia · · Score: 4, Interesting

    The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware

    Translation: We have just installed our backdoor into consumer-grade routers and network-attached storage devices, but to apply the changes the devices need to be rebooted. Since we won't have the ability to reboot them ourselves until after the change is fully applied, we need a convincing reason to ask the whole country to reboot their routers. Russian hackers should suffice.

    1. Re: Update applied, reboot system to apply changes by Anonymous Coward · · Score: 1

      Nice theory. But pretty simple to reboot electronics.

    2. Re: Update applied, reboot system to apply changes by Anonymous Coward · · Score: 0

      This exactly.

    3. Re:Update applied, reboot system to apply changes by Anonymous Coward · · Score: 0

      This is exactly what sprang to mind when I read TFS. Why, apart from severe mental retardation, would anyone trust a single word from the FBI (or any other TLA) at this point?

  27. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    You're an idiot

  28. Quick! by Hylandr · · Score: 1

    Now every body panic immediately and do as we tell you!

    --
    ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
  29. Turn it off... by Anonymous Coward · · Score: 0

    Then back on again. Then turn it off, then on, then off, then on. Well known technique used by the windows support people and your isp.

  30. trustworthy by Anonymous Coward · · Score: 0

    See how americans spread fud:
    Russian-engineered malware
    hackers working for an advanced nation, possibly Russia
    Daily Beast reported that VPNFilter was indeed developed by a Russian

    yeah, American press is none but trustworthy

  31. Oblig. Admiral Ackbar... by Mister+Transistor · · Score: 1

    ... IT'S A TRAP!!!

    --
    -- You are in a maze of little, twisty passages, all different... --
  32. Re:reboot... and reflash with something like cur l by Anonymous Coward · · Score: 0

    https://www.theregister.co.uk/2018/05/21/draytek_routers_security_vulnerability/

  33. Re:reboot... and reflash with something like cur l by Anonymous Coward · · Score: 0

    I've been running with a Pepwave, and I think it's immune to the current crop of things. Possibly it is legit secure, or possibly it is just a minor enough thing that no one has written the requisite malware yet. Either way these bulletins are never aimed at me.

  34. Re:reboot... and reflash with something like cur l by thegarbz · · Score: 1

    As nice as it sounds the compatibility of third party routers is like Linux on mid 90s era laptops, and that's if your router isn't some integrated modem router combo.

    Personally I've never owned a device compatible with any 3rd party firmware.

  35. sure a botnet.. by Anonymous Coward · · Score: 0

    propably the fbi's own botnet, and with changing laws on privacy in europe, they now come claim this while it propably has been their own hacktool for years to check out everyone.

    kids always think no one is on to their tactics. lol. The arrogance of thinking they are the smartest even more lol.

  36. Re: reboot... and reflash with something like cur by Archtech · · Score: 1

    Hopefully one day you will learn to recognize irony. Appreciating it may remain beyond you.

    --
    I am sure that there are many other solipsists out there.
  37. Reboot, and trigger update with NSA malware by Anonymous Coward · · Score: 0

    step 2, just like with Wannacry -- you know the malware that Microsoft, or NSA using their keys, digitally signed a finished patch for several months before the name was even in the news -- start sabotaging and blame Russia or China.

  38. OpenWRT is fine by Anonymous Coward · · Score: 0

    I have OpenWRT. I'm immune.

  39. Re:reboot... and reflash with something like cur l by pnutjam · · Score: 1

    I own several and I've used dd-wrt, tomato, and merlin with no problems. Usually, in my experience, the hardware problems are there without the 3rd party firmware. They're just obfuscated so you can't figure out which part works and you just reboot the whole thing.

    --
    Cheap storage VM.
  40. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    Iâ(TM)m not a fan of trump. Never have been. By decent?!?! What world do you live in?

  41. Netgear Nighthawk X6 R7900 - I think I was Pwnd by Anonymous Coward · · Score: 0

    I bought this only a month or two ago, updated immediately to latest firmware (which is still the latest)... and when I enabled telnet on my device, I see a lot of suspicious crap. Pretty sure the "latest firmware" that I'm updated to is vulnerable to this, so I'm not sure what good a "factory reset" would do.

    I have a writeup of some of the stuff I found here: https://sites.google.com/site/antkowiak/netgear-vpnfilter-r7900

    Not 100% sure if what I found is the result of this exploit... but it looks suspicious as hell to me.

  42. Joke's on them by drinkypoo · · Score: 1

    I already have to reboot my Linksys router all the time because it's so flaky. Guess Cisco is on the job of protecting me after all!

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  43. Welcome to the new red scare by Anonymous Coward · · Score: 0

    what a complete and utter load of bollocks.

  44. Re: reboot... and reflash with something like cu by Anonymous Coward · · Score: 0

    Go fuck yourself, dad!

  45. Something’s missing by Anonymous Coward · · Score: 0

    Router vendors are notoriously lax with secity fixes for consumer routers. How about holding their feet to the fire over this, and make them provide at least 3 years of security fixes?

  46. Re: reboot... and reflash with something like cu by Anonymous Coward · · Score: 0

    I already did, dear.

    -Geekpoet

  47. My ISP Is Helping Solve The Problem by careysub · · Score: 1

    Due service glitches multiple times a week - during which we power cycle the whole chain of devices from cable modem, to router, to switch, to wi-fi just to make sure everything connects correctly again - we are following the FBI's recommendation. Cheers for Spectrum!

    --
    Starships were meant to fly, Hands up and touch the sky - Nicky Minaj
  48. Translation: by Anonymous Coward · · Score: 0

    The FBI wants to see if their newest rootkit can survive a coldboot.

  49. Re: reboot... and reflash with something like cur by Anonymous Coward · · Score: 0

    Decent? That cunt should spend the rest of her days in a deep dark hole for her crimes against humanity.