[Catalist] VPNFilter Malware

[Ray Forma]

There is a small probability that the any Wi-Fi routers and NAS devices that you use at home or work may be infected with VPNFilter Malware. An Internet search on "VPNFilter Malware” will give you more current information, as well as the growing list of Wi-Fi routers and NAS devices that could be infected. Note that it seems that the operating system your computer uses does not affect the probability of infection, so MacOS users may also be affected by infected devices.

Here’s some basic information:

Reboot Your Wi-Fi Router and NAS Device: Here’s Why

Last week, the US Federal Bureau of Investigation (FBI) released a statement saying that all consumers and small businesses should reboot their Wi-Fi routers and NAS devices. If you haven’t yet taken the time to do this, check the rest of this post to see why following this simple security action is necessary and then go do it.

VPNFilter Malware
The FBI’s statement came out after Cisco’s security researchers discovered that more than 500,000 Wi-Fi routers were infected with malware named VPNFilter. According to Cisco, Linksys, Mikrotik, Netgear, QNAP and TP-Link routers are all affected. Further research by the U.S. Department of Justice (DOJ) showed that the malware was crafted by the Sofacy group, linked to the Russian government, and that Ukraine was the intended target of the attack.

Cisco reported that “The VPNFilter malware is a multistage, modular platform with versatile capabilities to support both intelligence collection and destructive cyberattack operations.” Since this means that the malware could collect personal or business data and initiate a large-scale destructive attack, Cisco’s recommendation was for owners of network-attached storage devices (NAS) to be especially wary of the malware. Cisco researchers were unable to determine how the compromised routers were infected, so officials are urging owners of all routers and NAS devices — not just those that were identified — to reboot. Cisco’s Talos Intelligence group has a complete report online that is available here.

According to the FBI statement, “The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”

There are three stages to VPNFilter: a persistent stage 1 and non-persistent stages 2 and 3. Rebooting clears out stages 2 and 3 to mitigate most issues from the malware. The FBI seized a domain used by the malware creators to deliver stages 2 and 3 of the attack, so those stages of the malware can’t survive a reboot.

The US DOJ issued a warning similar to that from the FBI: “Owners of SOHO and NAS devices that may be infected should reboot their devices as soon as possible, temporarily eliminating the second-stage malware and causing the first-stage malware on their device to call out for instructions. Although devices will remain vulnerable to reinfection with the second-stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.”

Cisco has gone one step further, asking all users to perform a factory reset of their devices. Doing so even clears out stage 1 of the malware. If you have a Cisco router, visit the company’s wireless support site for instructions on how to do a factory reset.

Regards,

Ray Forma
50 Harvest Road, North Fremantle WA 6159, Australia
Tel +61 (0) 428 596 938