FBI Warns Users to Reboot Routers

[Crunchy Dragon]

The FBI has warned users to reboot their routers due to a malware attack allegedly unleashed by Russia.

 

Quote

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices.

Researchers from Cisco’s Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot.

Bolded text added by me. I'm not aware if the malware would affect routers by other companies such as Motorola or Asus. Either way, I would strongly advise you all to reboot your routers just in case. Can't be too safe, right?

 

Quote

Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.

Quote

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

Quote

Owners of SOHO and NAS devices that may be infected should reboot their devices as soon as possible, temporarily eliminating the second stage malware and causing the first stage malware on their device to call out for instructions. Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.

Pretty serious stuff. Again, I would strongly advise you all to take the necessary security measures.

 

A list of all the known affected routers:

Quote

Authorities and researchers still don’t know for certain how compromised devices are initially infected. They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change. That uncertainty is likely driving the advice in the FBI statement that all router and NAS users reboot, rather than only users of the 14 models known to be affected by VPNFilter, which are:

• Linksys E1200
• Linksys E2500
• Linksys WRVS4400N
• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
• Netgear DGN2200
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN

Quote

There's no easy way to know if a router has been infected by VPNFilter. For more advanced users, Cisco provided detailed indicators of compromise in Wednesday’s report, along with firewall rules that can be used to protect devices.

I don't have too much left to say at this point, but I hope this all gets patched soon.

 

Hope you all can stay safe.

Source: https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

[BlueChinchillaEatingDorito]

And I thought cable modems were becoming the norm. Haven't bought a dedicated router for the past decade.

[Crunchy Dragon]

3 minutes ago, BlueChinchillaEatingDorito said:

And I thought cable modems were becoming the norm. Haven't bought a dedicated router for the past decade.

Are they? I honestly didn't know. I would imagine most people just use routers.

[BlueChinchillaEatingDorito]

Just now, Crunchy Dragon said:

Are they? I honestly didn't know. I would imagine most people just use routers.

I guess you could consider mine a router too since it's those combined ones. The ones listed seem to just be the stand alone ones you can buy at BestBuy. Either way, doesn't effect me since mine is a Hitron. 

[iamdarkyoshi]

All of my networking gear is retired enterprise gear or home built. Still pretty worrying stuff though

[Skiiwee29]

wow... glad I already employ the recommended security measures on my R7000. Still very worrying... I just went and looked for updated firmware and thankfully im on the latest, but still very worrying and concerning. 

[DrMacintosh]

Why didn't I just buy an new Apple Time Capsule for my replacement router when my 4th Gen Time Capsule died? 

[Blebekblebek]

Quote

The report said the malware was developed by hackers working for an advanced nation, possibly Russia

 

Sometimes I don't get it, it's like " If anything goes not according to plan, Blame RUSSIA, if that doesn't work, blame on Israel, and if that didn't work either, blame on male toxic masculinity, if any of it doesn't work, victim card is always working "

[aezakmi]

Quote

by Russia.

 

Wasn't China the #1 enemy of the US after the Cold War?

[Razor Blade]

15 minutes ago, iamdarkyoshi said:

All of my networking gear is retired enterprise gear or home built. Still pretty worrying stuff though

Me too. My R7000 now lives behind a pfSense tank.

 

[Enderman]

32 minutes ago, Crunchy Dragon said:

Are they? I honestly didn't know. I would imagine most people just use routers.

You can't connect to the internet with just a router.

There is always an ONT or modem that takes the signal cable and turns it into ethernet.

Sometimes a modem and router are combined into one.

[Redicat]

Breaking into my House is easier than going try and acces it from more than 2.000 KM away

[Delicieuxz]

33 minutes ago, Blebekblebek said:

Sometimes I don't get it, it's like " If anything goes not according to plan, Blame RUSSIA, if that doesn't work, blame on Israel, and if that didn't work either, blame on male toxic masculinity, if any of it doesn't work, victim card is always working "

 

Well the warning does come from the FBI, and US intel agencies take any opportunity that they can to demonize US geopolitical rivals - even for allegedly doing the very things that those US intel agencies have been known to be doing for many years already -  just like we know from leaked CIA documents that the CIA has been mass-hacking hundreds of router models for many years.

 

Also, CIA documents leaked by WikiLeaks revealed that the CIA and NSA use Russian hacking tools and methods, and deliberately leave Russia-like traces in their hacks to make them appear to have been done by Russia (or China). So, maybe the FBI just detected a CIA hacking program.

 

https://www.bleepingcomputer.com/news/security/cia-created-toolkit-for-hacking-hundreds-of-routers-models/

https://www.zdnet.com/article/cia-has-been-hacking-into-wi-fi-routers-for-years-leaked-documents-show/

https://arstechnica.com/information-technology/2017/06/advanced-cia-firmware-turns-home-routers-into-covert-listening-posts/

 

Though, sometimes the CIA goes for the more direct approach and intercepts shipments of modems and routers and implants hacked firmware in them before they even reach their destination:

 

https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

[Kamina]

Russia hacked my tree down.

[Zodiark1593]

I don't even have home internet let alone having any routers up. 

[straight_stewie]

The US releases information that says "An advanced nation, possibly Russia, made a virus" and we're expected to believe that? I guess we've forgotten about StuxNet or any of the EquationGroup (TAO) software...

[asus killer]

i'm confused, if they don't know how they were infected, rebooting solves what? What prevents the "russians" from do it again?

 

one a person note i want to believe this is for real and not more Russia-US random craziness, but i'm gonna remain skeptical

[Wh0_Am_1]

2 hours ago, Crunchy Dragon said:

Are they? I honestly didn't know. I would imagine most people just use routers.

Cable routers are a thing with some companies like Comcast, meanwhile with other companies that give you a brand new router with decade old tech, (like Centurylink ) you really have to buy a router because 802.11n just isn't fast enough for my family's large arsenal of devices anymore.

Edited May 27, 2018 by Wh0_Am_1
Up way to late... Night!

[Vode]

2 hours ago, Razor Blade said:

Me too. My R7000 now lives behind a pfSense tank.

 

That‘s a King Tiger.

[captain_to_fire]

13 minutes ago, straight_stewie said:

EquationGroup (TAO) software

Sucks for that guy who took home a flash drive with the Equation virus

2 hours ago, Delicieuxz said:

Well the warning does come from the FBI, and US intel agencies take any opportunity that they can to demonize US geopolitical rivals

I think the report came first from Cisco's Talos and the FBI just issued a PSA following Cisco's report https://blog.talosintelligence.com/2018/05/VPNFilter.html

 

Also, let's not ignore the fact that almost every first world nation conducts espionage on each other. While the US has indeed done a lot of cyberwarfare (e.g. Shadow Brokers GitHub dump, Equation, Stuxnet, etc), the Kremlin is guilty as well (e.g. Moonlight Maze, Turla, etc) and they do all of this to gather intelligence. Is it bad? Yes. However, there's nothing lay people can do about it. While there's currently a digital Geneva convention among tech companies, there's little these private companies can do to stop them from doing espionage on each other and it has been going decades ago until now.

Edited May 27, 2018 by captain_to_fire

[Wh0_Am_1]

8 hours ago, straight_stewie said:

The US releases information that says "An advanced nation, possibly Russia, made a virus" and we're expected to believe that? I guess we've forgotten about StuxNet or any of the EquationGroup (TAO) software...

We don't know for absolutely certain that Stuxnet was developed by an American entity, though it is widely believed to have been a collaboration between American and Israeli entities to safely destroy a Uranium refining facility so as to keep Nuclear weapons out of the hands of dangerous entities within Iran.

 

8 hours ago, Vode said:

That‘s a King Tiger.

Great, now hopefully it is much more dependable than a King Tiger, or Tiger II.

[straight_stewie]

2 minutes ago, Wh0_Am_1 said:

We don't know for absolutely certain that Stuxnet was developed by an American entity, though it is widely believed to have been a collaboration between American and Israeli entities to safely destroy a Uranium refining facility so as to keep Nuclear weapons out of the hands of dangerous entities within Iran.

Well obviously. It was developed by No Such Agency. But the hard evidence is undeniable.

New York Times alludes to the matter.
 

[Wh0_Am_1]

4 minutes ago, straight_stewie said:

Well obviously. It was developed by No Such Agency. But the hard evidence is undeniable.

New York Times alludes to the matter.
 

Interesting, but the only usable source listed is a book and they refer you to page 41. I'm sorry but out of all the major news publications, in recent years that is one of the ones I trust the least.. And as I stated earlier it is believed that it was developed by American and Israeli entities, but in reality there is no hard evidence at least none that I can find, just speculation easily faked reports on the matter. Do I think that it was some entities in the US and Israel? Yes. Am I certain? No. because there are a number of hacker groups that have done outlandishly impressive things before. Anyways let's bury the ax and get back to discussing tech and the like. 

[Bananasplit_00]

Not that I own a susceptible model, but what does rebooting do here? Is the malware just in RAM or something and won't it just be infected again if it gets cleared? 

[paddy-stone]

The FBI has warned users to reboot their routers due to a malware attack allegedly unleashed by Russia So that we can gain access through our backdoor again.  /S