dslreports logo
 story category
FBI Takes Aim at 500,000 Strong Russian Router Botnet

Hackers potentially tied to a state-actor (read: the Russian government) have managed to infect more than 500,000 home and small-office routers around the world with malware that can potentially track your usage, launch attacks on other networks, and permanently destroy the devices upon command. The malware, dubbed VPN Filter according to a Cisco advisory, has managed to infect numerous routers from vendors like Linksys, MikroTik, Netgear, TP-Link, and certain network-attached storage devices from companies like QNAP.

Click for full size
Infections in at least 54 countries have been spreading since sometime in 2016, Cisco claims.

"Both the scale and the capability of this operation are concerning," the company said. "Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries...The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols."

In a wrinkle this week, The Daily Beast reported that the FBI seized a key domain used to help coordinate the infected hardware. An FBI affidavit (pdf) obtained by outlet states that the FBI believes the hacking group behind the attacks is known as Sofacy. Sofacy is also known as Fancy Bear, Sednit, and Pawn Storm, and is believed to be behind the 2016 hack of the Democratic National Committee.

The FBI has been investigating the botnet since at least August, though attacks have been dramatically spiking over the last few weeks, particularly in the Ukraine. In a statement issued by the DOJ, the agency called this the "first step" in combating cyber attacks, many of which have been conducted by Russia as it tries to find cheaper, more insiduious ways to influence global politics and undermine its critics.

“By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack," the FBI stated. "While this is an important first step, the FBI's work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware."

"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities," added Assistant Attorney General for National Security John C. Demers.

This Symatec advisory lists the impacted hardware and provides tips on cleaning up the infection.

Most recommended from 64 comments



chuch
join:2001-04-11
Tampa, FL

10 recommendations

chuch

Member

How do you know?

Having a Netgear R7000 myself, I would like to know if I am infected, but the article doesn't seem to provide any information on what to look for in terms of infection.

P Ness
You'Ve Forgotten 9-11 Already
Premium Member
join:2001-08-29
way way out

8 recommendations

P Ness

Premium Member

Must be getting ready for Nov to support Trump

Gotta get them bots ready!
Tony0945
join:2015-03-26
Streamwood, IL

8 recommendations

Tony0945

Member

Time to work on my own router

Using an old computer and guides like this: »wiki.gentoo.org/wiki/Eth ··· Firewall

Then I don't have to worry about back doors and manufacturer snooping.

Anon06e0c
@77.111.247.x

4 recommendations

Anon06e0c

Anon

Nothing the FBI does can stop this if Russian gov't is the bad actor.

""The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.""

If it is true, as the article states, that Russian gov't is behind these attacks, than nothing the FBI or EU law enforcement does will stop them. Even if the FBI identifies those individuals behind this, the Russian gov't will do nothing to stop them or bring them to justice. All the FBI can do is play "whack - a - mole" on cmd & control domain names. And that is a waste of time as new cmd domains can be created daily to bypass blocked domains.

The only possible real solution is a mutually assured destruction attack by the US & EU to cripple Russian internet infrastructure with our own DDOS attacks on Russia.

telcodad
MVM
join:2011-09-16
Lincroft, NJ

2 recommendations

telcodad

MVM

The FBI kindly requests that you reboot your router ASAP

 
FBI tells router users to reboot now to kill malware infecting 500k devices
Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.

By Dan Goodin, Ars Technica - May 25, 2018
»arstechnica.com/informat ··· devices/
quote:
The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices.

Researchers from Cisco’s Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot.

Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.

Limited persistence

The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter—stages 2 and 3 can’t survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI’s advice to reboot small office and home office routers and NAS devices capitalizes on this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, not just those known to be vulnerable to VPNFilter, protect themselves. The officials wrote:
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.
In a statement also published Friday, Justice Department officials wrote:
Owners of SOHO and NAS devices that may be infected should reboot their devices as soon as possible, temporarily eliminating the second stage malware and causing the first stage malware on their device to call out for instructions. Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.
The US Department of Homeland Security has also issued a statement advising that "all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware."

As noted in the statements, rebooting serves the objectives of (1) temporarily preventing infected devices from running the stages that collect data and other advanced attacks and (2) helping FBI officials to track who was infected. Friday’s statement said the FBI is working with the non-profit Shadow Foundation to disseminate the IP addresses of infected devices to ISPs and foreign authorities to notify end users.

Authorities and researchers still don’t know for certain how compromised devices are initially infected. They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change. That uncertainty is likely driving the advice in the FBI statement that all router and NAS users reboot, rather than only users of the 14 models known to be affected by VPNFilter, which are:

• Linksys E1200
• Linksys E2500
• Linksys WRVS4400N
• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
• Netgear DGN2200
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN

The advice to reboot, update, change default passwords, and disable remote administration is sound and in most cases requires no more than 15 minutes. Of course, a more effective measure is to follow the advice Cisco gave Wednesday to users of affected devices and perform a factory reset, which will permanently remove all of the malware, including stage 1. This generally involves using a paper clip or thumb tack to hold down a button on the back of the device for 5 seconds. The reset will remove any configuration settings stored on the device, so users will have to restore those settings once the device initially reboots. (It's never a bad idea to disable UPnP when practical, but that protection appears to have no effect on VPNFilter.)

There's no easy way to know if a router has been infected by VPNFilter. For more advanced users, Cisco provided detailed indicators of compromise in Wednesday’s report »blog.talosintelligence.c ··· ter.html , along with firewall rules that can be used to protect devices. ...

Red Hazard
Premium Member
join:2012-07-21
O Fallon, IL

2 recommendations

Red Hazard

Premium Member

Cisco?

So does this mean my Cisco RV325 is not infected since the routers mentioned are all Cisco competitors?