The FBI is advising users of small office and home office routers to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices.
According to the FBI, "foreign cyber actors" have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.
The VPNFilter malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware's network activity is complicated by its use of encryption and misattributable networks.
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.
The FBI did not explain why the VPNFilter can't survive a reboot - why the malware is wiped clean as soon as a device is restarted.
The US Department of Homeland Security has also issued a statement advising that "all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware."
The FBI said it is working with the non-profit Shadow Foundation to disseminate the IP addresses of infected devices to ISPs and foreign authorities to notify end users.
The VPNFilter malware was discovered by Cisco's Talos researchers, who claim that it is likely a state-sponsored act.
In particular, the code of this malware overlaps with versions of the BlackEnergy malware - which was responsible for multiple large-scale attacks that targeted devices in Ukraine. The researchers have observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.
Talos estimates the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.