It’s all over the news: Russia is in your router. The FBI is putting out news bulletins. Small businesses and home routers are both affected. This must be the end of the internet as we know it. Are we truly under attack? Should we start building our underground bunkers?
…Not exactly. Is it scary and possibly dangerous? Yes, but before you panic, let’s take a look at what VPNFilter, the latest malware to cause global hysteria, does.
- What is it? VPNFilter is a piece of malware that has infected approximately 500,000 routers in 54 countries. Sounds like a lot, but really, considering the sheer number of people who access the internet through a router (which means basically everyone), that number is actually pretty small on a global scale. It was created by the Russian state-sponsored Sofacy group (aka A.P.T. 28 and/or Fancy Bear).
- What does it do? The program has been called a ‘multi-purpose spy tool’. It is able to use hijacked routers as unwitting VPN’s, disguising the location of the actual bad guys, which can then be used to do further harm without the worry of being traced. It can also collect information from the infected routers as it is sent back and forth through the internet. However, what everyone seems to be worried about is a piece of code that could potentially be used to render all the infected routers completely useless – a virtual ‘kill switch’.
- When did it start? The short answer is we don’t know. Security firms and law enforcement agencies have been researching it for quite a while. A lot of the targeted devices are known to use default credentials and/or have vulnerabilities, particularly older versions, and thus may have been exploited to start the virtual ‘epidemic’.
- Who is affected? Most of the infections seem to be centered in the Ukraine. However, companies and individuals using the following routers have the potential to be infected:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
- How can we protect ourselves? The malware is multi-stage; it infects routers with multiple steps. The initial infection, or step one, downloads and executes the malware’s payloads in steps two and three. The FBI has strongly recommended that owners of the above listed routers restart them (this can be accomplished by simply unplugging the device and re-plugging it after 5 or more seconds). Note that this will not completely clear the infection, only the second and third steps. This unfortunately leaves the routers open for reinfection. However, the FBI has taken control of a major server the malware accesses to download the harmful files. If the infection attempts to connect to this server, it will actually help the FBI to identify infected routers. You can also factory reset your device, but this will also restore all settings to default, which may be undesirable.
- The bottom line: Malware=bad. Unless you have one of the infected routers listed and/or live in the Ukraine, you probably aren’t infected – the probability of it is pretty low. However, if you’d rather not play the numbers game and take the risk (understandably so), restarting your router is not going to hurt anything.
Keep an eye out for more information from the FBI and ADNET. The more you know, the better equipped you are to deal with potential infections!
Further reading:
- https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html
- https://www.zdnet.com/article/fbi-to-all-router-users-reboot-now-to-neuter-russias-vpnfilter-malware/
- https://www.wired.com/story/vpnfilter-router-malware-outbreak/
- https://securityaffairs.co/wordpress/72829/malware/vpnfilter-botnet.html