What just happened? Officials at the Federal Bureau of Investigation (FBI) are urging users to reboot their routers. The public service announcement says that hundreds of thousands of home and office devices have been compromised by “foreign cyber actors. The cyber attack targets routers from several different manufacturers and at least one NAS brand is also vulnerable.
The attackers used VPN Filter malware to infect the devices. The software has a variety of capabilities including data collection, remote shutdown, and analysis and detection countermeasures using encryption and “misattributable networks.”
“The size and scope of the infrastructure impacted is significant,” says the alert. “The initial infection vector for this malware is currently unknown.”
The FBI advises power cycling routers and NAS devices to disrupt the malware. Rebooting can aid in identifying infected systems. It also recommends users disable remote management settings, enable encryption, create a strong password, and update the firmware of the device.
The PSA comes over a month after we reported that several US and UK agencies including the FBI warned that Russian hackers were compromising routers worldwide. Those attacks had apparently been occurring for at least a year before being discovered.
The alert did not identify the “foreign actors” in this latest attack, so it is unknown whether the incidents are related. However, the attack vectors in the Russian attacks were known.
Be aware that rebooting your router or NAS does not mean that the malware goes away.
According to Symantec, “The malware, known as VPN Filter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot.”
However, this does not mean that there is no point in power cycling the device. Rebooting will remove “Stage 2 and Stage 3” of the malware temporarily. These are the parts that have destructive capabilities. These components can still be reinstalled using Stage 1, but this appears to be a manual process.
If you have determined that your device is infected, Symantec recommends performing a hard reset to restore to factory settings. This will wipe out the malware, but will also reset all your configuration settings to default.
If you are interested in all the technical details, Symantec has a good write-up on VPN Filter that includes all the known affected devices. QNAP also has an advisory showing step-by-step instructions of what to do if running an infected QNAP NAS.