The Federal Bureau of Investigation has issued a public announcement advising consumers to reboot their home and office routers after discovering a massive malware attack.
The malware, now called "VPNFilter," has reportedly infected at least 500,000 routers from several manufacturers. “VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router,” the FBI said in its public warning (via Forbes).
VPNFilter malware was found in small office and home office routers. After a series of investigation with help from Cisco’s Talos intelligence organization, the bureau determined that the routers infected were manufactured by Linksys, MikroTik, Netgear, and TP-Link. The malware was also found on QNAP cloud storage devices and services.
Security researchers involved in the VPNFilter investigation found that it operates in multiple stages. Of the three known stages of the attack, only stage 1 is believed to be immune to a reboot since it relies on a domain that sends back needed data for stages 2 and 3 everytime an infected router restarts.
Notably, though, the identified web domain ToKnowItAll.com — reportedly operated by Russian hackers Sofacy Group — used for VPNFilter’s stage 1 was seized by the FBI last Wednesday through a court-ordered warrant. So it is now being assumed that the source for stages 2 and 3 has been shut down.
Without the domain repeatedly sending back data for the attack, stages 2 and 3 can be prevented, presumably by performing reboots on affected home and office routers.
On the other hand, there is also a possibility that the attackers have installed other internet domains to deliver sources for stages 2 and 3 of the attack. However, the same Forbes report suggested that rebooting a router temporarily avoids the VPNFilter from causing severe damages.
Talos also said in their report, which was released on the same day that ToKnowItAll.com was seized, that the VPNFilter spread is most likely a state-sponsored attack. While the malware was found on routers across 54 countries, Talos researchers found that the attackers dedicated a command and control facility solely for attacking Ukraine-based targets “at an alarming rate.”