FBI tells worldwide users of routers to reboot now to kill malware infecting 500k devices

FBI tells worldwide users of routers to reboot now to kill malware infecting 500k devices
FBI – Cyber Actors Target Home and Office Routers and Networked Devices Worldwide
Alert (TA18-145A)

 A type of malware has infected more than 500,000 routers used in homes and small businesses in more than 50 countries, the FBI is urging all consumers to reboot their routers.
 The VPNFilter malware was discovered by Cisco’s security researchers and affects routers made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link.

The U.S. Department of Justice said the authors of the VPNFilter were part of the Sofacy group that answered directly to the Russian government, Reuters reported, and that Ukraine was the likely target of the attack.

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices.

The detailed Cisco report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot.

The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm.
The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.

The US Department of Homeland Security has also issued a statement advising that "all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware."
As a precaution FBI is urging everyone to reboot their routers, as per media reports following 14 models are  known to be affected by VPNFilter
1-Linksys E1200
2-Linksys E2500
3-Linksys WRVS4400N
4-Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
5-Netgear DGN2200
6-Netgear R6400
7-Netgear R7000
8-Netgear R8000
9-Netgear WNR1000
10-Netgear WNR2000
11-QNAP TS251
12-QNAP TS439 Pro
13-Other QNAP NAS devices running QTS software
14-TP-Link R600VPN

If you think your router is affected in such cases Cisco gave advise to reset router to factory default which will clear everything will permanently remove all of the malware, including stage 1. This generally involves using a paper clip or thumb tack to hold down a button on the back of the device for 5 seconds. The reset will remove any configuration settings stored on the device, so users will have to restore those settings once the device initially reboots. (It's never a bad idea to disable UPnP when practical, but that protection appears to have no effect on VPNFilter.)

Reality views by sm -

Sunday, May 17,2018

Tags – Routers FBI Reboot Alert