FBI recommends to reboot routers to kill VPNFilter malware

[Brink]

FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE

SUMMARY
The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

TECHNICAL DETAILS
The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.

THREAT
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.

DEFENSE
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

Authorities and researchers still don’t know for certain how compromised devices are initially infected. They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change. That uncertainty is likely driving the advice in the FBI statement that all router and NAS users reboot, rather than only users of the 14 models known to be affected by VPNFilter, which are:

• Linksys E1200
• Linksys E2500
• Linksys WRVS4400N
• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
• Netgear DGN2200
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN

Read more:

• Internet Crime Complaint Center (IC3) | Foreign Cyber Actors Target Home and Office Routers and Networked Devices Worldwide
  
• FBI tells router users to reboot now to kill malware infecting 500k devices | Ars Technica

 

[Layback Bear]

Thank you Brink.
I will reboot my router today. Can't hurt and might help.


Jack

 

[Digital Life]

Thank you Brink.
I will reboot my router today. Can't hurt and might help.


Jack

If your router has been compromised my guess is that within minutes it will be compromised again, There are 100,000's of shady characters trying to exploit home and business devices facing the internet and with sites like Showdan it makes it much easier to find vulnerable devices.



I would also make sure you do not have remote administration enabled. Also change your Admin password to something complex that is hard to guess or brute force with automated tools.

 

[Iain]

Read more:

• Internet Crime Complaint Center (IC3) | Foreign Cyber Actors Target Home and Office Routers and Networked Devices Worldwide
  
• FBI tells router users to reboot now to kill malware infecting 500k devices | Ars Technica

Thanks for the information.


Also, if you haven't done so already, upgrading to the latest firmware is a very good idea. My SMB router and managed switch firmware was upgraded two weeks ago.

 

[file3456]

Doubt they got into my router flashed to Asus Merlin. One reason why I use third party firmware. I can't tell you how many infected routers try to do nefarious things on my websites.