The FBI believes Russian computer hackers have compromised hundreds of thousands of computers around the world, and are advising everyone to reboot their routers to prevent the spread of malware.
According to a public service announcement issued by the bureau, the malicious actors used “VPNFilter” malware to target 500,000 small-office and home-office routers in 54 countries, which can perform multiple functions including collecting information, blocking network traffic and exploiting devices in other ways.
“The size and scope of the infrastructure impacted by VPNFilter malware is significant,” read the FBI warning.
What is the VPNFilter attack, and which devices could be infected?
The attack is believed to be linked to Russian intelligence groups, specifically a group known as A.P.T. 28. This group, also known as Socafy and Fancy Bear, has been credited with the majority of Russian hacks.
The Department of Justice said last week that hundreds of thousands of computers are already under the group’s control, which is believed to be directed by Russia’s military intelligence agency. The New York Times reports that A.P.T. 28 is also believed to be behind hacking the 2016 U.S. Presidential Election.
An analysis by the Cisco threat intelligence division Talos unit predicts that 500,000 routers in at least 54 countries have been affected. The analysis by Talos also pointed out similarities between VPNFilter’s computer code and “versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.”
WATCH: Tips to protect your devices from ransomware malware
VPNFilter is a multi-stage malware, and while experts are still trying to determine exactly what the infection is built to do, it has the ability to effectively steal website credentials and issue a self-destruct command (rendering most devices inoperable).
“The malware has a destructive capability that can render an infected device unusable,” it said, “which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” read Talos’ post.
WATCH: What you should do if your email gets hacked
Devices that have been infected include Linksys, MikroTik, NETGEAR and TP-Link equipment in the home and small-business environments, as well as QNAP network-attached storage (NAS) devices.
These networking devices include:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
While the notice stated that the malware has impacted routers designed by several manufacturers, the original host for the infection is still unknown.
What could happen if your router is hacked?
A court order from this past Wednesday allowed the FBI to seize a website that the hackers reportedly planned to use to give instructions to the compromised routers. What can a compromised router be directed to do?
The possibilities for the individual consumer range from data theft, spying on the owners of the router, launching DDoS attacks and launching attacks on other networking devices.
“The routers are rendered vulnerable, and a piece of malware gets loaded up into it and that piece of malware is what starts to skim information. Basically, it’s just theft of whatever data is going through the actual routers themselves,” explained Ajay Sood, general manager of Symantec Canada.
However, in addition to spying on and intercepting passwords from the individual consumer, Sood notes that with over 500,000 devices under its control, any hostile entity could easily launch much more complex, larger-scale attacks.
“If you have 500,000 targets that are instructed to simultaneously open connections on a specific server, you could pretty much bring that web server or whatever infrastructure you want to its knees,” he said.
Why is the FBI asking you to reboot your router?
The FBI has asked that everyone reboot their routers to “temporarily disrupt the malware and aid the potential identification of infected devices.” What does this mean?
Sood explained that this particular attack uploads itself to the memory of the router (which is key to powering the device). During a reboot, the memory of the router is cleared out, meaning that while the vulnerability which allowed the attack to take place still remains, the infection itself is temporarily cleared.
WATCH: Hackers can exploit built-in speakers of smartphones and devices
By doing this, hackers are then forced to compromise the router again to re-infect it. By this point, Sood said the hope is that in being aware of the threat, service providers are better able to deflect it by blocking the traffic and issuing security patches.
“It’s kind of like saying, ‘I’ve broken into your house, I’ve installed a piece of malware, but if you turn off the electricity and turn it back on again, that malware’s gone, so I have to break into your house again to do it,'” said Sood.
“You haven’t eliminated the vulnerability that allowed that machine to be infected but you’re removing the infection.”
How can you protect yourself from attacks on your home or office router?
In addition to rebooting your router, both the FBI and Sood recommend turning off a feature on your device called Remote Network Management, which leaves the web port on these routers open. This feature allows you to configure your Wi-Fi and other network devices remotely.
Unfortunately, however, there is no easy way for the average internet user to identify if their router has been compromised without receiving an alert from their service provider.
Furthermore, Sood notes that the most valuable tool users have in the fight against cyber threats like these is making sure their software is up to date, and making sure you’re selecting technology that hasn’t habitually fallen prey to attacks in the past. This task, however, is becoming more and more difficult for the everyday user.
“Now, you don’t even have to attack the computer anymore. You don’t even have to attack the endpoint, so it’s important to make sure that when you do buy technology, it’s armoured against the latest and greatest types of attacks,” said Sood.
However, he emphasizes that consumer diligence is gradually being rendered ineffective when ill-equipped security software comes up against advanced, multi-stage attacks.
“Most anything that can be connected to the internet can be hacked.”
With the internet becoming more crucial to people’s lives every day, Sood concedes that “you can’t really win.”
WATCH: 100,000 Bell customers affected by hack
“You’ve got a situation where you’ve got a device that needs to be wired to the internet. Always on, always hot. Short of powering down your equipment every time you’re not using the internet, there’s really no way you can get away from that.”
More and more consumer products require the internet to function, including smart speakers, many home security systems, many TVs, music systems — and in this day in age, hackers can reach users in their homes.
“The attack is being taken to the individual. This isn’t the banks’ firewall. This isn’t the government’s firewall. This is your firewall.”
“I think this is a perfect example of them coming after you where you live, and that should wake up a whole bunch of people.”
Comments