FBI Asked Us to Reboot Our Routers – That Didn’t Help… [Growing List of Routers Known to Be Affected]
The Federal Bureau of Investigation released a public service announcement at the end of last month, asking everyone to restart their routers. This was followed by calls from cybersecurity experts and private sector companies to reset routers. These calls were made to help researchers - and the FBI - to potentially disrupt the botnet created by the VPNFilter malware.
It now appears things weren't as easy as they looked.
Cisco's Talos security team has now released a fresh report suggesting that the malware is way more powerful than originally believed. Not only is VPNFilter much more powerful but it's also affecting more devices than the 500,000 routers the FBI had said were infected. Cisco says that the malware runs on a much broader base of models.
"We have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints," Talos reported. "First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list."
These new vendors include:
- New devices from initially reported vendors: Linksys, MikroTik, Netgear, and TP-Link
Advanced features added to VPNFilter, which has been targeting new devices even after FBI's seizure of C&C servers
When Cisco had posted its initial report, it had said that the investigation is ongoing. It appears the company isn't happy with FBI going public about steps that could be considered as a way to remove the malware. While rebooting does remove the later stages of the malware, the initial backdoor couldn't be removed unless the device goes through a reset - as far as the current information goes. The agency itself had said that the reboot was being requested to "temporarily disrupt [VPNFilter] and aid the potential identification of infected devices."
FBI had said that the agency had seized a key command and control server and rebooting was helping it identify infected routers. However, the botnet is still active and going strong since Stage 1 itself is quite sophisticated.
While Stages 2 and 3 have to be reinstalled after every reboot, Stage 1 that acts as a backdoor persists on an infected router. Stage 1 then has to locate servers to get Stages 2 and 3 payloads after a device has been restarted. When the FBI seized those servers where these payloads were being hosted, it believed that it would be the end of this botnet. However, VPNFilter can still put the initial stage into a listening mode to use specific packets that can manually install Stages 2 and 3.
Cisco reports that new features have been added to the router malware that enable criminals to modify content while in transit and launch man-in-the-middle attacks. "Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Williams said. "But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device."
"They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”
As reported earlier, restarting the router kills the Stages 2 and 3 (advanced features like man-in-the-middle attacks on incoming Web traffic to modify content and steal sensitive data) of VPNFilter, but Stage 1 still persists. Researchers are still unaware how are attackers initially infecting routers with Stage 1.
While FBI's announcement did help raise awareness, since the investigation is still going on, it will take even more work to get those whose devices are now being mentioned to pay attention. Additionally, FBI's focus on reboot may have been an easy solution but resetting or reinstalling the updated firmware on your router is what actually (hopefully) kills the malware.
"I'm concerned that the FBI gave people a false sense of security," Talos senior technology leader Craig Williams told Ars Technica. "VPNFilter is still operational. It infects even more devices than we initially thought, and its capabilities are far in excess of what we initially thought. People need to get it off their network."
Known devices affected by VPNFilter (list continues to grow)
RB Groove (new)
RB Omnitik (new)
Other QNAP NAS devices running QTS software
PBE M5 (new)
Unknown Models* (new)
ZXHN H108N (new)
* Malware targeting Upvel as a vendor has been discovered, but we are unable to determine which specific device it is targeting.