FBI asks to reboot routers in U.S. to stop Russian malware attack

VPNFilter has infected over haft a million routers

Experts have recently discovered a new malware, called VPNFilter. Currently, cybersecurity researchers estimate around 500 000 infections across the globe, and it seems that infection is only going to spread^[1].

VPNFiler can compromise home and small office routers to make them unusable or even collect information that is going through the device^[2]. Additionally, IT professional warn that hackers can remotely control the routers and perform malicious actions.

Furthermore, experts believe that the attack is organized by the infamous Russian cybercrime group known as Sofacy Group, A.P.T. 28, Pawn Storm, and Fancy Bear^[3].

The list of most of the infected devices by VPNFilter:

• TP-Link R600VPN;
• Linksys E1200, E2500, and WRVS4400N;
• Netgear DGN2200, R6400, R7000, R8000, WNR1000, and WNR2000;
• Mikrotik 1016, 1036, and 1072;
• QNAP TS251 and TS439 Pro.

People are urged to reboot the routers to kill VPNFilter by FBI

On May 25, FBI has released an official report asking people to help stop the spread of VPNFilter malware. According to the officials it can be done by power cycling the routers^[4].

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices.

Additionally, FBI suggests temporarily disabling remote control settings on the routers to make sure that criminals won't be able to hack the machines with minimal effort.

People are advised to secure their routers with strong passwords and encryption when they are active^[5]. This would decrease the risk of the VPNFilter infection.

Last but not the least, users must update their devices to the latest possible version. This will eliminate system vulnerabilities that might be exploited during the attack. However, this might not be enough to remove VPNFilter.

You must reset the router to the factory state to get rid of VPNFilter

The FBI has taken over the domain of VPNFilter which was used to infiltrate the systems with further stages of the malware once the device is at the first stage. As a result, infected routers cannot receive second and third stages leaving the attackers with the only choice — sending certain packets to the devices.

VPNFilter has three stages:

1. Stage one which ensures that the malware remains on the device even after the reboot;
2. Stage two has a self-destructing feature. As a result, the router becomes unusable and can be exploited for malevolent purposes, like collecting sensitive data;
3. Stage three consists of installing additional plug-ins that support other activities, including monitoring SCADA communication, connecting via TOR, or sniffing the network.

Fortunately, stages two and three cannot persist during the reboot. Likewise, you must power cycle your device to make sure that the infection does not spread further. However, you must reset your router to the factory state if you want to delete VPNFilter.