More that 500,000 routers in over 50 counties have been infected with malware that originated from Russian sources, say the FBI.

VPNFilter

The malware has infected home and small business routers made by Linksys, Netgear, QNAP, TP-Link and Mikrotik.

The malware has been linked to Russian government hactivist’s, Reuters have suggested the Ukraine was the likely target of the attack.

How it works

CISCO VPNFilterCisco, who found the malware, said that “The VPNFilter malware is a multistage, modular platform with versatile capabilities to support both intelligence collection and destructive cyber attack operations,”

Essentially the malware has the capability to record any information that passed through the router, it also contained code to destroy the router on command, presumably to prevent the malware being found.

Once a device is infected, the malware downloads additional code into memory to perform the packet recording. If this download fails, the malware awaits individual commands from the control server.

Recommended action

Cisco initially suggested performing a factory reset on the devices to erase the malware and return to a clean operating system. The FBI have later updated their advice to simply reboot the devices, this clears out the temporary code from RAM but leaves the initial malware in place, this will attempt to re-download the additional components from servers now under the control of the FBI. When this fails the malware will simply listen for commands from the C&C servers.

“Owners of SOHO and NAS devices that may be infected should reboot their devices as soon as possible, temporarily eliminating the second-stage malware and causing the first-stage malware on their device to call out for instructions. Although devices will remain vulnerable to reinfection with the second-stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.”

The American Justice Department statement. 

Precautions

Even if your router is not one of the models listed, it might be a good idea to perform a power cycle (power off, power on) of your device, and Cisco have advised that all SOHO (Small Office/Home Office) routers and NAS devices are cycled in this way to disrupt the malware.


0 Comments

What are your thoughts?