Fwd: [Dewayne-Net] FBI tells router users to reboot now to kill malware infecting 500k devices

["Dave Farber" <farber () gmail com>]

Begin forwarded message:

> From: Dewayne Hendricks <dewayne () warpspeed com>
> Date: May 27, 2018 at 9:56:50 AM EDT
> To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>
> Subject: [Dewayne-Net] FBI tells router users to reboot now to kill malware infecting 500k devices
> Reply-To: dewayne-net () warpspeed com
>
> FBI tells router users to reboot now to kill malware infecting 500k devices
> Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
> By DAN GOODIN
> May 25 2018
> <https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/>
>
> The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as 
> possible to counter Russian-engineered malware that has infected hundreds of thousands devices.
>
> Researchers from Cisco’s Talos security team first disclosed the existence of the malware on Wednesday. The detailed 
> report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. 
> Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and 
> permanently destroy the devices with a single command. The report said the malware was developed by hackers working 
> for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or 
> at a minimum to reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian 
> hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast 
> also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the 
> malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and 
> secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on 
> attackers sending special packets to each infected device.
> Limited persistence
>
> The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter—stages 2 and 
> 3 can’t survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 
> remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized 
> ToKnowAll.com address. The FBI’s advice to reboot small office and home office routers and NAS devices capitalizes on 
> this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, 
> not just those known to be vulnerable to VPNFilter, protect themselves. The officials wrote:
>
> The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the 
> malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote 
> management settings on devices and secure with strong passwords and encryption when enabled. Network devices should 
> be upgraded to the latest available versions of firmware.
>
> In a statement also published Friday, Justice Department officials wrote:
>
> Owners of SOHO and NAS devices that may be infected should reboot their devices as soon as possible, temporarily 
> eliminating the second stage malware and causing the first stage malware on their device to call out for 
> instructions. Although devices will remain vulnerable to reinfection with the second stage malware while connected to 
> the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time 
> available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.
>
> The US Department of Homeland Security has also issued a statement advising that "all SOHO router owners power cycle 
> (reboot) their devices to temporarily disrupt the malware."
>
> As noted in the statements, rebooting serves the objectives of (1) temporarily preventing infected devices from 
> running the stages that collect data and other advanced attacks and (2) helping FBI officials to track who was 
> infected. Friday’s statement said the FBI is working with the non-profit Shadow Foundation to disseminate the IP 
> addresses of infected devices to ISPs and foreign authorities to notify end users.
>
> Authorities and researchers still don’t know for certain how compromised devices are initially infected. They suspect 
> the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change. That 
> uncertainty is likely driving the advice in the FBI statement that all router and NAS users reboot, rather than only 
> users of the 14 models known to be affected by VPNFilter, which are:
>
> [snip]
>
> Dewayne-Net RSS Feed: http://dewaynenet.wordpress.com/feed/
> Twitter: https://twitter.com/wa8dzp



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-a538de84&post_id=20180527101918:EF21315A-61B8-11E8-A0B8-8D9F19185AC0
Powered by Listbox: http://www.listbox.com