FBI recommends to power cycle routers to stop Russia-linked malware

[gary]

On May 25th 2018, the FBI issued this warning :-
https://www.ic3.gov/media/2018/180525.aspx

Quote:

Originally Posted by FBI Public Service Announcement 25 May 2018

Foreign Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

Summary
The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

Technical Details
The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.

Threat
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.

Defense
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

Quote:

Originally Posted by Louis Lucero II, New York Times

May 27, 2018
Hoping to thwart a sophisticated malware system linked to Russia that has infected hundreds of thousands of internet routers, the F.B.I. has made an urgent request to anybody with one of the devices: Turn it off, and then turn it back on.

The malware is capable of blocking web traffic, collecting information that passes through home and office routers, and disabling the devices entirely, the bureau announced on Friday.

A global network of hundreds of thousands of routers is already under the control of the Sofacy Group, the Justice Department said last week. That group, which is also known as A.P.T. 28 and Fancy Bear and believed to be directed by Russia’s military intelligence agency, hacked the Democratic National Committee ahead of the 2016 presidential election, according to American and European intelligence agencies.

Article here :-
https://www.nytimes.com/2018/05/27/t...t-malware.html

[gary]

Wikipedia article on VPNFilter :-

Quote:

Originally Posted by Wikipedia

VPNFilter is malware designed to infect routers. As of 24 May 2018, it is estimated to infect approximately 500,000 to 1,000,000 routers worldwide. It can steal data and also contains a "kill switch" designed to destroy the infected router on command. The FBI believes that it was created by the Russian Fancy Bear group. The following routers can be infected:

Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN

Both Cisco and Symantec suggest that people who own the above devices do a factory reset. That is typically accomplished by using something small and pointy, such as a straightened out paperclip, to push the small reset button on the back on the unit for 10 to 30 seconds (time varies by model). This will remove the malware, but also restores the router to all original settings. On 25 May 2018, the FBI suggested instead that users simply reboot their routers. This would remove the dangerous payload of the malware, leading it to attempt to re-download the payload. The FBI said that this would help them to find the servers distributing the payload

[gary]

Symantec article providing background and their advice :-

https://www.symantec.com/blogs/threa...er-iot-malware

Quote:

Originally Posted by Symantec

A: VPNFilter is a multi-staged piece of malware. Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.

Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.

There are several known Stage 3 modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.

[Dennis]

Thanks Gary, I appreciate the heads up.

Cheers

Dennis

[sil (Steve)]

Its something I've learnt to do anyway by habit to many networked devices. Poor design means buffers fill up and you get performance problems anyway, just powering off for 30sec gives them time to fully discharge and cool down a moment and everything just runs smoother once powered back up. Fresh network addresses get assigned etc. For me its always been a no brainer for a smooth and stable network. Even plug stuff into one powerboard with a power timer to cut power once a week at a suitable time.

[Dennis]

Quote:

Originally Posted by sil

Its something I've learnt to do anyway by habit to many networked devices. Poor design means buffers fill up and you get performance problems anyway, just powering off for 30sec gives them time to fully discharge and cool down a moment and everything just runs smoother once powered back up. Fresh network addresses get assigned etc. For me its always been a no brainer for a smooth and stable network. Even plug stuff into one powerboard with a power timer to cut power once a week at a suitable time.

Ah, that's good news then, as I power down everything overnight and power up again each new day; PC, Modem, Router, Switch, Printer, NAS, UPS - the whole shebang.

Cheers

Dennis

[The_bluester (Paul)]

Thankfully mine is not on the list as I rarely power it off, I might reboot it every few days as a precaution anyway and see if a new firmware is released for it soon.

I am in the opposite situation to sil. I got sick of having to regularly power cycle or reboot my router via the management interface to keep it stable so I went out and bought an enterprise grade one. It was online and performing well with 12 months uptime at one point until we had a power outage long enough to dry up the UPS.

Consumer grade ones tend to have rubbish firmware, tacitly admitted by at least one of the manufacturers which builds in a "Self healing" function where you can schedule a periodic reboot. Basically admitting that the firmware is such flaky rubbish that it will stop working properly unless it is rebooted on a regular basis.

[Nikolas (Nik)]

meh it's good practise to powercycle your router at least once a week to clear it and refresh the connection, much like any device though I'd be really worried if Russian hackers were trying to access my computer as they would be deeply disappointed and would be sad for them. I mean no one want to see a sad Russian hacker

[The_bluester (Paul)]

I have to argue with that. If it actually works properly and stays stable in the long term what does a regular reboot achieve?

Maybe if you are talking about a combined DSL MODEM/Router it might be worthwhile if it helps with the DSL connection but even when we were on DSL I bridged the MODEM and used a decent stand alone router as the combination of a good MODEM, good router and good Wifi access point in a single box proved to be a unicorn. I now have NBN fixed wireless, separate router, separate switch (Tech heavy house) and stand alone enterprise grade Wifi access points, largely they just work too, months of uptime without going flaky.

I got a router that did not need regular rebooting to keep the router function stable as at least once a month a scheduled reboot would mess something up in the network that then needed digging into and fixing by me.

[LewisM]

Sounds just like the NSA’s Stuxnet, just less insidious

[AndyG (Andy)]

Quote:

Originally Posted by The_bluester

I got sick of having to regularly power cycle or reboot my router via the management interface to keep it stable so I went out and bought an enterprise grade one.

This is very true, but often unappreciated by most. I spent 10 years selling and servicing "consumer" grade gear, only to experience a culture shock when I went "upmarket" a bit.


I now run an Avaya 48 port POE switch (40 ports in use), and 4x Ubiquiti AC Pro APs. My router (on Fibre NBN) is just a dinky little ASUS, but partly thanks to the Merlin WRT firmware, I'm currently enjoying 154 days of uptime. When the ASUS drops its guts (3yrs old so far), I think i'll snag a Ubiquiti Edgerouter. Very happy with their stuff.


I have to bite my tongue when dealing with trash routers that the telcos issue on contracts. No insult to the owners of course, it's just hard to explain/justify that there are better things out there.

[The_bluester (Paul)]

I am only at 23 days uptime at the moment, we have had a heap of extended power outages this year, 23 days would be back to the last one long enough to run the UPS down. We got to nearly a year at one point.



The Cisco switch we are using (Not Linksys, proper Cisco) has been "Just working" for about 8 years, plug in, switch on, go.