The United States Federal Bureau of Investigation (FBI) has issued an alert suggesting that computer routers that connect U.S. homes and businesses to the Internet may have been infected by a foreign malware linked to Russian hackers. “The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic,” the alert stated.
The size and scope of the VPNFilter malware may be significant. The malware can target routers manufactured by several makes, and the agency is currently unaware of the initial infection vector. According to the FBI, the malware can render small offices and home routers inoperable as well as collect user information while passing through the router. “Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks,” it stated.
It asked the users to reboot the devices to temporarily disrupt from spreading as well as to identify the infected devices. “Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware,” it suggested.
The bigger concern that lingers is that according to Talos, the security arm of Cisco, nearly 500,000 affected devices may have been affected, as well the attack also sporadically spread in at least 54 countries. “More than half a million routers have been identified already as being compromised, so I think there are a significant number of devices that have been affected and it is difficult to estimate how many devices could be affected in the coming days or week,” Shuman Ghosemajumder, chief technology officer at Shape Security, told NBC News.
Talos stated that the devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.
Talos also pointed out that defending against the attack is very difficult due to the nature of the malware and affected devices. Most of these devices connect the computer directly to the internet. With no security in for the devices, having no built-in anti-malware capabilities, and also having publicly known vulnerabilities which are not convenient for the average user to patch makes it hard to counter and block.