500,000 devices with VPNFilter could be destroyed with a single command
The FBI is asking everyone in the world to reset their routers in an attempt to neuter the Russian malware known as VPNFilter.
VPNFilter was created by the Russian state-sponsored hacker group Fancy Bear (a.k.a. Sofacy, APT28). Last week the FBI obtained a warrant to shut down the control servers that were behind VPNFilter.
According to Cisco’s Talos Intelligence researchers, there are over 500,000 devices that have been infected. Among the affected manufacturers are LinkSys, MikroTik, NetGear and TP-Link. The malware collects traffic sent through the infected routers and scrape it for data like login credentials.
What’s more disconcerting is that the malware has the power to wipe out portions of the routers’ firmware, which renders them useless. Attackers have the option to destroy a single device or wipe out all infected devices at once.
The Cisco report came in response to an uptick in infections in the Ukraine. Officials there were quick to blame the malware on Russia, whom it accuses of planning the attacks to coincide with next Saturday’s Champions Cup (soccer). The Ukraine also blames Russia for the NotPetya attacks that occurred last year.
What routers are affected by VPNFilter?
Though the infections have been limited to devices made by LinkSys, MikroTik, NetGear and TP-Link, the FBI is quick to caution that other devices could be at risk as well. Here is a full list of the models affected by VPNFilter:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- MikroTik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
What can I do to protect myself from VPNFilter?
Unplug your router.
Yes, that’s right the age-old trick that can fix almost any internet connection issue also works for stopping VPNFilter. Kind of. First, here’s what the FBI had to say in a recent public service announcement:
“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices… Owners are advised to consider disabling remote-management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”
Unfortunately, there are three stages of the VPNFilter malware. The more dangerous stages, two and three, can be removed with a reboot. Stage one is like herpes, it remains with your router forever and can be re-infected. The good news is that the FBI now controls the address that all VPNFilter was being routed to. The bad news is Stage one is potentially stuck on your router.
While it sounds silly on its surface, I would still heed the FBI’s advice. Resetting your router is typically as simple as pulling the power cord out of the wall, waiting about 30 seconds and then plugging it in again. This isn’t rocket science. Just follow the advice and avoid any trouble in the future.
As for how the infection started—nobody is sure. But Symantec, in its own report, mentioned that many of the targeted devices already had known vulnerabilities.
So if you’re using a newer device, still take the 30 seconds or so to reset, but you may already be in the clear.