FBI Tells Router Users To Reboot Now To Kill Malware Infecting 500,000 Devices (arstechnica.com)

← Back to Stories (view on slashdot.org)

FBI Tells Router Users To Reboot Now To Kill Malware Infecting 500,000 Devices (arstechnica.com)

Posted by BeauHD on Friday May 25, 2018 @11:20AM from the last-piece-of-the-puzzle dept.

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices. Ars Technica reports: Researchers from Cisco's Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.

The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI's advice to reboot small office and home office routers and NAS devices capitalizes on this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, not just those known to be vulnerable to VPNFilter, protect themselves. The Justice Department and U.S. Department of Homeland Security have also issued statements advising users to reboot their routers as soon as possible.

46 of 84 comments (clear)

Min score:

Reason:

Sort:

reboot... and reflash with something like cur lede by mtaht · 2018-05-25 11:27 · Score: 4, Interesting

If only a reboot solved all problems! Can't they also suggest reflashing with something immune to this malware like any of the third party router firmwares? On my bad days, watching over the cyberwarfare, and now that the domain has been seized, I can imagine the FBI P0wning your router, rather than the original authors - because now they have the capability to do so. Reboot and reflash., damn it.
Re: reboot... and reflash with something like cur by rommy4706 · 2018-05-25 11:32 · Score: 1

It's great to be capable huh?
Re:reboot... and reflash with something like cur l by CaptainDork · 2018-05-25 11:37 · Score: 1

Reboot and reflash ...
I tested this statement on several of my followers who have questioned me regarding this matter.
You know what the reaction was.

--
It little behooves the best of us to comment on the rest of us.
Nice. by bobstreo · 2018-05-25 11:55 · Score: 2

Now, if they actually listed which router/NAS models and firmware versions were problematic. Or how to diagnose if you were impacted...
If you have remote management turned on for your router or NAS, you should always expect special surprises.
1. Re:Nice. by Nutria · 2018-05-25 12:02 · Score: 2
  
  Mikrotik patched this vulnerability (which is only a problem when remote management is enabled) 14 months ago.
  Also, they continuously update their firmware, and that firmware is trivially easy to update.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
2. Re:Nice. by Anonymous Coward · 2018-05-25 12:40 · Score: 5, Informative
  
  I was thinking the same thing, so I went digging in the old (you know, that musty two-day old) slashdot thread. It wasn't straightforward to find it in there but there was a good comment with it. https://blog.talosintelligence.com/2018/05/VPNFilter.html. You can CTRL + F to "Known Affected Devices" and it has them listed. The original comment for aficionados.
3. Re:Nice. by bobstreo · 2018-05-25 13:06 · Score: 1
  
  I was thinking the same thing, so I went digging in the old (you know, that musty two-day old) slashdot thread. It wasn't straightforward to find it in there but there was a good comment with it. https://blog.talosintelligence.com/2018/05/VPNFilter.html. You can CTRL + F to "Known Affected Devices" and it has them listed. The original comment for aficionados.
  Thanks for that. Doing the work OP didn't bother to in the article
4. Re: Nice. by mapkinase · 2018-05-25 21:13 · Score: 1
  
  They are saying with high confidence that the list is incomplete
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
5. Re:Nice. by Ol+Olsoc · 2018-05-25 23:17 · Score: 1
  
  Thanks for that. Doing the work OP didn't bother to in the article
  I know this is Slashdot, and the style is to post based on the headline, but are y'all inconvenienced by making clicky clicky on the link?
  What is posted here is a summary, just like it is supposed to summarize. The routers affected are listed in the link that the summary references.
  Y'all can't be afraid to do the work you're supposed to do.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
6. Re:Nice. by biswasrivu · 2018-05-31 05:47 · Score: 1
  
  Nice one indeed. ACMarket AdAway Test Dpc
Meh. by fluffernutter · 2018-05-25 11:59 · Score: 1

Meh, I've rebooted. what's the harm?

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
1. Re:Meh. by Darinbob · 2018-05-25 12:48 · Score: 2
  
  The default firmware probably reboots itself every week anyway.
my router is not on that list, but by FudRucker · 2018-05-25 12:06 · Score: 1

it gets rebooted often because of frequent power outages caused by squirrels committing suicide on the power transformer out on the power pole or by the frequent thunderstorms blowing through the area this time of year, so my router has been rebooted about 3 or 4 times just this month

--
Politics is Treachery, Religion is Brainwashing
1. Re:my router is not on that list, but by antdude · 2018-05-25 13:36 · Score: 1
  
  No UPS?:P
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
2. Re:my router is not on that list, but by fibonacci8 · 2018-05-25 19:04 · Score: 5, Funny
  
  No UPS?:P
  Attaching a UPS to the squirrels is tempting, but I fail to see how it solves the original problem.
  
  --
  Inheritance is the sincerest form of nepotism.
3. Re:my router is not on that list, but by antdude · 2018-05-25 19:22 · Score: 1
  
  LOL! I meant to your electronics.
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
4. Re: my router is not on that list, but by jabuzz · 2018-05-25 21:55 · Score: 1
  
  If its thqt rural then use a mole plough. Its not 1000 times more expensive, and much better tha long outages.
5. Re:my router is not on that list, but by Ol+Olsoc · 2018-05-25 23:18 · Score: 1
  
  Those squirrels died for your computer security! Bless 'em all.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
6. Re:my router is not on that list, but by Ol+Olsoc · 2018-05-25 23:19 · Score: 1
  
  Our UPS driver is a little squirrely.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
7. Re:my router is not on that list, but by McFortner · 2018-05-29 11:40 · Score: 1
  
  I got two emails today letting me know that it appears that my Arris NVG510 UVerse Residential Gateway is infected. Since the gateway is locked down and I'm at the mercy of AT&T to push firmware updates all I could do is reboot the RG like they said.
  
  Otherwise, I have two options: Jack and Sh*t, and Jack left town.
  
  And PLEASE DON'T SUGGEST to change my ISP. My only other choice is Charter and they are no better.
  
  --
  Beware of Sales Reps bearing gifts.
My router was being weird by Bite+The+Pillow · 2018-05-25 12:07 · Score: 1

First time ever, my phone keeps disconnecting from the Wi-Fi this evening. So I yanked the plug to the router and modem, it went back to normal.
Can't say its related but I never saw these symptoms before.
1. Re: My router was being weird by Anonymous Coward · 2018-05-25 12:12 · Score: 2, Funny
  
  No, that was me. I finally finished downloading all the porn I needed for the weekend.
  Thanks for not changing your password, cupcake.
2. Re: My router was being weird by CanadianMacFan · 2018-05-25 12:38 · Score: 2
  
  Great now everyone knows the password and the bandwidth is going to suck.
Re:Fools by AHuxley · 2018-05-25 12:43 · Score: 2

+1 AC. That will be all kept going for months as part of ongoing "investigations".
To see who logs in and attempts to alter the command and control software side.
Until then the feds will keep looking at the results in real time.

--
Domestic spying is now "Benign Information Gathering"
VPN by jmccue · 2018-05-25 12:59 · Score: 4, Funny

These days a VPN is pretty much required.
Now a rant -- Rebooting a router, are you serious ? Give me a break. So now all requests are routed through a FBI server ? I feel much safer now that I rebooted a stupid router. How about forcing a recall
Posted Anonymously for a reason
1. Re:VPN by jmccue · 2018-05-25 13:00 · Score: 1
  
  Damn, the box did not take, on wee, who is stupid now :)
2. Re: VPN by Anonymous Coward · 2018-05-25 13:20 · Score: 1
  
  Best post ever. Hahahaha
The detailed Cisco break down by waspleg · 2018-05-25 14:19 · Score: 1

can be found here. It's linked too off of the Ars Technica but for some reason not in the /. one.
Re: Turn everything off by Bing+Tsher+E · 2018-05-25 14:41 · Score: 1

All the people who have never learned how to read a road map would be lost in the cities for days.
Also unknown affected devices by raymorris · 2018-05-25 15:25 · Score: 1

The listed devices are KNOWN to be affected.
Others are also affected, but haven't been tested and proven vulnerable. A reboot is probably a good idea for any router - won't hurt anything.
Re:reboot... and reflash with something like cur l by arglebargle_xiv · 2018-05-25 15:32 · Score: 1

I've been using Draytek gear for years now, its pricey but also pretty decent. Every time I see one of these sky-is-falling router warnings I have to wonder, is the fact that Draytek never feature in them because they're that good, or because no-one bothers checking Drayteks?
Seems Odd by dejitaru · 2018-05-25 15:49 · Score: 2

User: "Help! My router is infected with vicious malware" Support: "Have you tried turning it off and then on again?"
Re: reboot... and reflash with something like cur by Anonymous Coward · 2018-05-25 16:27 · Score: 1

I'm not exactly up on all this Russia stuff but this article just screams, "Reboot your routers so our rootkit can finish installing". I doubt it has anything to do with Russia at all.
Update applied, reboot system to apply changes by Excelcia · 2018-05-25 16:52 · Score: 4, Interesting

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware
Translation: We have just installed our backdoor into consumer-grade routers and network-attached storage devices, but to apply the changes the devices need to be rebooted. Since we won't have the ability to reboot them ourselves until after the change is fully applied, we need a convincing reason to ask the whole country to reboot their routers. Russian hackers should suffice.
1. Re: Update applied, reboot system to apply changes by Anonymous Coward · 2018-05-25 20:42 · Score: 1
  
  Nice theory. But pretty simple to reboot electronics.
Quick! by Hylandr · 2018-05-25 17:28 · Score: 1

Now every body panic immediately and do as we tell you!

--
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Oblig. Admiral Ackbar... by Mister+Transistor · 2018-05-25 18:58 · Score: 1

... IT'S A TRAP!!!

--
-- You are in a maze of little, twisty passages, all different... --
Re:reboot... and reflash with something like cur l by thegarbz · 2018-05-25 20:29 · Score: 1

As nice as it sounds the compatibility of third party routers is like Linux on mid 90s era laptops, and that's if your router isn't some integrated modem router combo.
Personally I've never owned a device compatible with any 3rd party firmware.
Re:What a sec... by CSMoran · 2018-05-25 21:22 · Score: 1

Isn't "rebooting" something you do after you INSTALL something for things to take effect?
Dude, that's some nice post hoc ergo propter hoc you got there.

--
Every end has half a stick.
Re: reboot... and reflash with something like cur by Archtech · 2018-05-26 00:13 · Score: 1

Hopefully one day you will learn to recognize irony. Appreciating it may remain beyond you.

--
I am sure that there are many other solipsists out there.
Re:What a sec... by MindPrison · 2018-05-26 00:51 · Score: 1

>Isn't "rebooting" something you do after you INSTALL something for things to take effect?
You're right, and if you need a reboot, it's because the device needs to finish the installation of the software, this isn't something that "randomly" made it to your router.
So you're right to question that action..
And as someone else in this thread said: Update YOUR FIRMWARE NOW!

--
What this world is coming to - is for you and me to decide.
Re:reboot... and reflash with something like cur l by pnutjam · 2018-05-26 01:15 · Score: 1

I own several and I've used dd-wrt, tomato, and merlin with no problems. Usually, in my experience, the hardware problems are there without the 3rd party firmware. They're just obfuscated so you can't figure out which part works and you just reboot the whole thing.

--
Cheap storage VM.
Joke's on them by drinkypoo · 2018-05-26 03:21 · Score: 1

I already have to reboot my Linksys router all the time because it's so flaky. Guess Cisco is on the job of protecting me after all!

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re: Turn everything off by MerlTurkin · 2018-05-26 03:51 · Score: 1

Ball bearings. It's always ball bearings.
My ISP Is Helping Solve The Problem by careysub · 2018-05-26 08:55 · Score: 1

Due service glitches multiple times a week - during which we power cycle the whole chain of devices from cable modem, to router, to switch, to wi-fi just to make sure everything connects correctly again - we are following the FBI's recommendation. Cheers for Spectrum!

--
Starships were meant to fly, Hands up and touch the sky - Nicky Minaj
Re:What a sec... by oh_my_080980980 · 2018-06-01 12:28 · Score: 1

That's a fancy way of saying he's right....moron...