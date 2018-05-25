FBI Tells Router Users To Reboot Now To Kill Malware Infecting 500,000 Devices (arstechnica.com) 21
The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices. Ars Technica reports: Researchers from Cisco's Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.
The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI's advice to reboot small office and home office routers and NAS devices capitalizes on this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, not just those known to be vulnerable to VPNFilter, protect themselves. The Justice Department and U.S. Department of Homeland Security have also issued statements advising users to reboot their routers as soon as possible.
reboot... and reflash with something like cur lede (Score:3)
Reboot and reflash
I tested this statement on several of my followers who have questioned me regarding this matter.
You know what the reaction was.
To see who logs in and attempts to alter the command and control software side.
Until then the feds will keep looking at the results in real time.
Now, if they actually listed which router/NAS models and firmware versions were problematic. Or how to diagnose if you were impacted...
If you have remote management turned on for your router or NAS, you should always expect special surprises.
Mikrotik patched this vulnerability (which is only a problem when remote management is enabled) 14 months ago.
Also, they continuously update their firmware, and that firmware is trivially easy to update.
The default firmware probably reboots itself every week anyway.
my router is not on that list, but (Score:2)
My router was being weird (Score:2)
First time ever, my phone keeps disconnecting from the Wi-Fi this evening. So I yanked the plug to the router and modem, it went back to normal.
Can't say its related but I never saw these symptoms before.
