VPNFilter, FBI advises everyone to restart the routers to eliminate part of the malware
Restarting the router and changing the default passwords are the main recommendations of the US Authorities to eliminate VPNFilter, the malware that has hit 500 thousand access points worldwide.
The FBI is advising users to reboot their routers and NAS to counter the effectiveness of Russian malware that has already infected hundreds of thousands of devices. To reveal the spread of malware known as VPNFilter was Cisco’s security team, in a document released to the public which read that 500 thousand units of devices made by Linksys, Mikrotik, Netgear, QNAP and TP-Link were vulnerable to the new exploit.
VPNFilter allows you to collect data, launch attacks and even permanently destroy violated devices with a single command. We have spoken extensively here.
According to the initial report, the malware was developed by hackers in collaboration with a government agency of an advanced nation, perhaps Russia, with the document advising users to perform a factory data reset or at least to restart the routers.
Later, more details of the malicious software were leaked, with the Daily Beast writing that the malware was developed by a group of Russian hackers known as Sofacy, Fancy Bear, APT 28 or Pawn Storm.
The article read that the FBI had seized an internet domain that VPNFilter used as a backup to deliver additional malware stages to already infected devices with the first exploit disclosed. In doing so, the stages 2 and 3 of the malware have been rendered ineffective, which do not survive the reboot, unlike the stage 1 which remains persistently.
But, once the device is restarted, stage 1 tries to contact a remote address that is no longer available, and the attack has no effect. The FBI’s advice is unanimous and is not only aimed at users of vulnerable routers: ” The FBI recommends all owners of consumer routers for homes or small offices to reboot their devices to temporarily eliminate malware and help in the potential identification of infected devices. We recommend that you disable remote management settings on your devices and use secure and vulnerable passwords by activating encryption modes, ” said the US authority.
In addition, the FBI also recommends updating the firmware to the latest versions available. The fear is that the malware can spread on other routers and not only on those reported by the first reports, also because to date it is not known how the compromised devices have received the malware originally. Exploitation of known vulnerabilities is suspected and accessories with default passwords that have not been modified by users have been affected.
The models currently involved are 14 (Linksys E1200, Linksys E2500, Linksys WRVS4400N, Mikrotik RouterOS, versions 1016, 1036, and 1072, Netgear DGN2200, Netgear R6400, Netgear R7000, Netgear R8000, Netgear WNR1000, Netgear WNR2000, QNAP TS251, QNAP TS439 Pro, NAS QNAP with the software QTS, TP-Link R600VPN), but there is the doubt that the malware can spread also on other network accessories.
The FBI recommendations are the easiest to operate in these cases: rebooting the router, updating the firmware, changing the default password and disabling remote management are operations that can be completed in 15 minutes and ( almost) for everyone.
They do not solve the problem at its base, as we pointed out in our previous analysis: Cisco had pointed out that the restart did not permanently remove the malware, keeping the stage 1 active. To eliminate this, it is necessary to perform a factory reset, which permanently removes the malware and, of course, also all the settings saved by the users.
