A hacking group has succeeded in infecting hundreds of thousands of routers with VPNFilter malware. The scale of the malware campaign is astonishing. So far more than half a million routers are believed to have been infected with the malware, prompting the FBI to issue a warning to all consumers and businesses to power cycle their routers.
Power cycling the router may not totally eradicate the malware, although it will temporarily disrupt communications and will help to identify infected devices, according to a May 25 public service announcement issued by the FBI.
All users have been advised to change the password on their router, install firmware updates if they are available, and disable the router’s remote management feature.
According to the U.S. Department of Justice, the malware campaign is being conducted by the Sofacy Group, also known as Fancy Bear and APT28. The hacking group has ties to the Russian government with some believing the hacking group is directed by Russia’s military intelligence agency.
While most of the infected routers and NAS devices are located in Ukraine, devices in more than 50 countries are known to have been infected with the malware. VPNFilter malware is a modular malware with a range of different functions that include the ability to capture all information that passes through the router, block network traffic and prevent Internet access, and potentially, the malware can totally disable the router. The infected routers could also be used to bring down specific web servers in a DDoS attack.
Many common router models are vulnerable including Linksys routers (E1200, E2500, WRVS4400N), Netgear routers (DGN2200, R6400, R7000, R8000, WNR1000, WNR2000), Mikrotik RouterOS for Cloud Core Routers (V1016, 1036, 1072), TP-Link (R600VPN), QNAP (TS251, TS439 Pro and QNAP NAS devices running QTS software).
The motive behind the malware infections is not known and neither the method being used to install the malware. The exploitation of vulnerabilities on older devices, brute force attacks, and even supply chain attacks have not been ruled out.
The FBI has taken steps to disrupt the malware campaign, having obtained a court order to seize control of a domain that was being used to communicate with the malware. While communications have now been disrupted, if a router has been compromised the malware will remain until it is removed by the router owners.
How to Update Your Router
While each router will be slightly different, they can be accessed by typing in 192.168.1.1 into the browser and entering the account name and password. For many users this will be the default login credentials unless they have been changed during set up.
In the advanced settings on the router it will be possible to change the password and disable remote management, if it is not already disabled. There should also be an option to check the firmware version of the router. If an update is available it should be applied.
You should then either manually power cycle the router – turn it off and unplug it for 20 seconds – or ideally use the reboot settings via the administration panel.
DrayTek Discovers Actively Exploited Zero Day Vulnerability
The Taiwanese broadband equipment manufacturer DrayTek has discovered some of its devices are at risk due to a zero-day vulnerability that is being actively exploited in the wild. More than 800,000 households and businesses are believed to be vulnerable although it is unknown how many of those devices have been attacked to date.
The affected devices are Vigor models 2120; 2133; 2760D; 2762; 2832; 2860; 2862; 2862B; 2912; 2925; 2926; 2952; 3200; 3220 and BX2000, 2830nv2; 2830; 2850; and 2920.
The vulnerability allows the routers to be compromised via a Cross-Site Request Forgery attack, one where a user is forced to execute actions on a web application in which they are currently authenticated. While data theft is possible with this type of attack, the attackers are using this attack to change configuration settings – namely DNS settings. By making that change, the attackers can perform man in the middle attacks, and redirect users from legitimate sites to fake sites where credentials can be stolen.
A firmware update has now been released to correct the vulnerability and all users of vulnerable DrayTek devices are being encouraged to check their DNS settings to make sure they have not been altered, ensure no additional users have been added to the device configuration, and apply the update as soon as possible.
When accessing the router, ensure no other browser windows are open. The only tab that should be open is the one used to access the router. Login, update the firmware and then logout of the router. Do not just close the window. Also ensure that you set a strong password and disable remote access if it is not already disabled.
Many small businesses purchase a router and forget about it unless something goes wrong and Internet access stops. Firmware updates are never installed, and little thought is given to upgrading to a new model. However, older models of router can be vulnerable to attack. These attacks highlight the need to keep abreast of firmware updates issued by your router manufacturer and apply them promptly.