The Federal Bureau of Investigation (FBI) has issued a request to all US citizens asking them to reboot their routers in other to stop a malware, which the US agency says is linked to foreign actors. According to FBI’s circular, the VPNfilter malware is targeting small office and home office routers and anyone with these to needs to reboot their routers.
The malware can block web traffic as well as collect information from home, office networks. It is also capable of disabling devices entirely, according to the New York Times. The FBI circular notes that the malware is capable of performing multiple functions, “including possible information collection, device exploitation, and blocking network traffic.”
The US agency notes that the scope of infrastructure impacted by VPNFilter malware is “significant” and it is targeting routers by several manufacturers. Additionally network-attached storage devices by at least one manufacturer, are at risk. According to FBI, VPNFilter can ensure that small office and home office routers are unable to work once infected.
The problem gets complicated because detection and analysis of the malware’s network activity is not so easy. The malware is relying on encryption to ensure that it cannot be detected. FBI in its advisory also says that routers need to be rebooted to “temporarily disrupt the malware.” Remote management settings on devices also need to be disabled, and users will need strong passwords and encryption when enabling this. Additionally all network devices should be on the latest firmware available from the manufacturer.
The report in New York Times adds that globally hundreds of thousands of routers are believed to be under the control a group called “Sofacy Group,” which is also known as A.P.T. 28 and Fancy Bear. These groups are believed to be under the control of Russian military intelligence agency, according to the report.
However, VPNFilter’s impact is likely beyond the US. Earlier, security researchers at the firm Talos had warned of the VPNFilter malware threat, calling it a state-sponsored and sophisticated system. “We have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country,” notes the blog post from the company.
According to Talcos, the number infected devices is nearly 500,000 in at least 54 countries. It is affecting routers from Linksys, MikroTik, NETGEAR and TP-Link networking equipment. The malware has a “destructive capability that can render an infected device unusable,” notes the post.