Federal Authorities: Reboot Your Router to Stop Russian Malware

Federal Authorities: Reboot Your Router to Stop Russian Malware

It is not uncommon that you might need to reboot your router because of some error or bug, but it’s not often that you need to reboot it in the name of national security. The US government has advised owners of home and small business routers to restart them to neuter a particularly nasty strain of Russian malware that has exploited hundreds of thousands of devices.

The warning comes from the FBI, Department of Homeland Security, and the Department of Justice. The agencies say that a simple reboot can protect you from the “VPNFilter” malware, at least in the short term. VPNFilter is linked to a group of Russian hackers known as Fancy Bear, sometimes called Sofacy Group and APT 28. Many security experts believe the group gets backing from Russian military intelligence (the GRU), or it may simply be part of Russian intelligence. Fancy Bear is perhaps most famous for the spear phishing attack that led to the theft of 50,000 emails from Clinton advisor John Podesta in 2016.

Devices infected by VPNFilter include routers from makers like Cisco/Linksys, MikroTik, NETGEAR, and TP-Link. Some QNAP NAS boxes are also vulnerable to infection. The attackers slipped the malware onto routers that were still using default login credentials with remote access enabled, as well as those that simply had unpatched security vulnerabilities. Most older routers lack an automatic firmware update mechanism, so they’re usually full of security holes. Security firms have published lists of affected routers, but this should by no means be considered a comprehensive collection.

Federal Authorities: Reboot Your Router to Stop Russian Malware

VPNFilter infects routers in stages, but the first one doesn’t do anything malicious. This is just a service that pings a command and control server, allowing the malware authors to load the second and third stage payloads. The second stage includes the primary tools for compromising your network. It supports data exfiltration, command execution, and more. It can also brick the router remotely if it receives a command to do so. The stage three package adds support for snooping on packets as they pass through the router and Tor communication with the controllers.

Rebooting a router clears the “advanced” stages of VPNFilter from a device, but the first stage remains in place. That means Fancy Bear could circle back and re-infect the router with stages two and three. Rebooting is only a temporary solution, so owners of the affected routers should start looking for a more modern replacement.

Continue reading

Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal
Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal

Known simply as 2FA Authenticator, the app picked up more than 10,000 installs until security researchers identified it as a vehicle for trojan-dropper malware.

Clever Malware Masquerades as Windows 11 Installer
Clever Malware Masquerades as Windows 11 Installer

A Russian website disguised as an official Microsoft page is distributing an "upgrade installer" that won't get you Windows 11. What it will get you is a bunch of malware.

Researchers Devise Malware That Runs When an iPhone is Powered Off
Researchers Devise Malware That Runs When an iPhone is Powered Off

The iPhone's low-power mode allows users to access Express cards and locate lost devices even when the phone is turned off—but it also presents a concerning security vulnerability.

Google Warns of Sophisticated Malware Distributed With The Help of ISPs
Google Warns of Sophisticated Malware Distributed With The Help of ISPs

According to Google's Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn't change the fact its software is being used to breach user privacy.