Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Tells Router Users To Reboot Now To Kill Malware Infecting 500,000 Devices (arstechnica.com)

Posted by BeauHD on from the last-piece-of-the-puzzle dept.

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices. Ars Technica reports: Researchers from Cisco's Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.

The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI's advice to reboot small office and home office routers and NAS devices capitalizes on this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, not just those known to be vulnerable to VPNFilter, protect themselves. The Justice Department and U.S. Department of Homeland Security have also issued statements advising users to reboot their routers as soon as possible.

12 of 84 comments (clear)

  1. reboot... and reflash with something like cur lede by mtaht · · Score: 4, Interesting

    If only a reboot solved all problems! Can't they also suggest reflashing with something immune to this malware like any of the third party router firmwares? On my bad days, watching over the cyberwarfare, and now that the domain has been seized, I can imagine the FBI P0wning your router, rather than the original authors - because now they have the capability to do so. Reboot and reflash., damn it.

  2. Nice. by bobstreo · · Score: 2

    Now, if they actually listed which router/NAS models and firmware versions were problematic. Or how to diagnose if you were impacted...

    If you have remote management turned on for your router or NAS, you should always expect special surprises.

    1. Re:Nice. by Nutria · · Score: 2

      Mikrotik patched this vulnerability (which is only a problem when remote management is enabled) 14 months ago.

      Also, they continuously update their firmware, and that firmware is trivially easy to update.

      --
      "I don't know, therefore Aliens" Wafflebox1
    2. Re:Nice. by Anonymous Coward · · Score: 5, Informative

      I was thinking the same thing, so I went digging in the old (you know, that musty two-day old) slashdot thread. It wasn't straightforward to find it in there but there was a good comment with it. https://blog.talosintelligence.com/2018/05/VPNFilter.html. You can CTRL + F to "Known Affected Devices" and it has them listed. The original comment for aficionados.

  3. Re: My router was being weird by Anonymous Coward · · Score: 2, Funny

    No, that was me. I finally finished downloading all the porn I needed for the weekend.

    Thanks for not changing your password, cupcake.

  4. Re: My router was being weird by CanadianMacFan · · Score: 2

    Great now everyone knows the password and the bandwidth is going to suck.

  5. Re:Fools by AHuxley · · Score: 2

    +1 AC. That will be all kept going for months as part of ongoing "investigations".
    To see who logs in and attempts to alter the command and control software side.
    Until then the feds will keep looking at the results in real time.

    --
    Domestic spying is now "Benign Information Gathering"
  6. Re:Meh. by Darinbob · · Score: 2

    The default firmware probably reboots itself every week anyway.

  7. VPN by jmccue · · Score: 4, Funny

    These days a VPN is pretty much required.

    Now a rant -- Rebooting a router, are you serious ? Give me a break. So now all requests are routed through a FBI server ? I feel much safer now that I rebooted a stupid router. How about forcing a recall

    Posted Anonymously for a reason

  8. Seems Odd by dejitaru · · Score: 2

    User: "Help! My router is infected with vicious malware" Support: "Have you tried turning it off and then on again?"

  9. Update applied, reboot system to apply changes by Excelcia · · Score: 4, Interesting

    The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware

    Translation: We have just installed our backdoor into consumer-grade routers and network-attached storage devices, but to apply the changes the devices need to be rebooted. Since we won't have the ability to reboot them ourselves until after the change is fully applied, we need a convincing reason to ask the whole country to reboot their routers. Russian hackers should suffice.

  10. Re:my router is not on that list, but by fibonacci8 · · Score: 5, Funny

    No UPS?:P

    Attaching a UPS to the squirrels is tempting, but I fail to see how it solves the original problem.

    --
    Inheritance is the sincerest form of nepotism.