The FBI is recommending to businesses and homes restart the routers as soon as possible; this based on a Cisco report that 500,000 infected devices could be destroyed with a single command.
Information security experts commented that the malware called VPNFilter was developed by the group of Russian hackers Sofacy, also known as Fancy Bear and APT28. The FBI confirmed the information, since last week it obtained an order to capture a domain used to control the infected routers.
Cisco Talos Intelligence revealed in a report that 500,000 routers made by Linksys, MikroTik, Netgear and TP-Link had been infected with VPNFilter.
This malware collects traffic sent through infected routers, such as website credentials. But the most worrisome ability is that the malware authorizes malicious actors to erase a part of the firmware of an infected device, rendering it unusable.
According to information security professionals, hackers could selectively destroy a single device or all infected devices at the same time.
In a report, last week Cisco, after observing an increase in infections in Ukraine, accused Russia of planning an attack to coincide with the final of the Champions League on Saturday in Kiev.
The country similarly blamed Russia for last year’s NotPetya attacks that affected organizations in Ukraine and spread within multinational corporations with offices in Ukraine.
Users with infected routers can eliminate the dangers of Stage 2 and Stage 3 of VPNFilter by rebooting the device, information security experts said. They also commented that Phase 1 of VPNFilter will persist after a reboot, allowing attackers to reinfect the compromised routers.
On Wednesday the FBI seized the web address, ToKnowAll. Com, which could have been used to reinstall the Stage 2 and Stage 3 malware, now all traffic to this address is directed to a server under the control of the FBI.
However, the FBI is recommending all router owners to restart the devices, even if they were not manufactured by the affected vendors. This will help neutralize the threat and identify infected devices.
“The FBI recommends that any router owner restart the devices to temporarily disrupt the malware and assist in the possible identification of infected devices,” the FBI said in a public announcement.
“Owners are advised to consider deactivating remote management settings on devices and security with strong passwords and encryption when they are enabled. The network devices should be updated to the latest available firmware versions,” the statement said.
Information security experts said the server controlled by the FBI with which infected devices communicate will collect the IP addresses of the devices.
The addresses are shared with a non-profit cybersecurity group, which disseminates the addresses to foreign CERTs and ISPs.
It is not yet known how the attackers initially infected the routers, but Symantec noted in a report on VPNFilter that many of them have critical vulnerabilities.
“For the most part, the identified devices use predetermined credentials and / or have exploits, particularly for earlier versions. There is currently no indication that the exploitation of zero-day vulnerabilities is involved in the spread of the threat,” the researchers wrote. Known infected devices include:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- MikroTik RouterOS for Cloud Core routers: versions 1016, 1036 and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running the QTS software
- TP-Link R600VPN