Technopanic 2018: the bad guys control your router

Hundreds of thousands of routers – maybe yours! – are infected by malware linked to the Russian government. The bad guys behind the malware attack, Sofacy Group, are believed to be directed by Russia’s military intelligence agency. It’s the same group that hacked the Democratic National Committee before the 2016 election.

The FBI and the Department of Homeland Security have asked all owners of small business and home office routers to reboot their routers, which disrupts the malware. Each agency issued statements about the likelihood of the end of civilization as we know it, then possibly undercut their message the teensiest bit by releasing the statements on Friday afternoon before a holiday weekend. Seriously, that’s just odd. The FBI has been working on this for eight months. It has identified a Russian cyberthreat that can spy on web traffic and disable Internet access for hundreds of thousands of businesses. And it decides to tell us about it on the day before the Memorial Day weekend? That’s a traditional time for companies and politicians to bury embarrassing news. Who thought that was a good time for this announcement?

Every six months or so, there is a new reason for techno-panic. In January, it was the Meltdown and Spectre processor flaws; a year ago we were terrified by stories of the WannaCry ransomware attack. Make no mistake: these are all serious security problems! We live in a fragile, scary world, and the bad guys are constantly searching for ways to hurt us through our interconnected devices.

All too often, though, techno-panic stories that spill over into the mainstream press – like this week’s router malware story – are reported without a crucial bit of nuance, which is that they very likely do not apply to you personally. “You” being my loyal small business owners and individuals living in the United States. If there are loyal Bruceb News readers in the Ukraine, well, you’re in a different position and you should probably be building shelters and stockpiling food. Although if you live in the Ukraine, router malware might not be your biggest problem.

I’ll give you some answers to the two questions that are in the minds of non-technical people: Should you worry? What could the bad guys do with this malware?

 


 

Wait, what? The Russians are in my router?

Russian router malware - don't panic

Don’t panic.

The FBI urgently wants you to reboot your router. Sure, why not? Unplug it, wait a few seconds, then plug it in and wait 1-2 minutes for it to restart. For interesting reasons (see below), that likely protects you even if your router has been compromised.

But it’s worth mentioning that there are a few reasons to relax.

•  The malware, known as “VPNFilter,” so far is only known to affect a few devices – a handful of routers from Linksys, Netgear, and TPLink, plus a network storage device from QNAP. There is a complete list at the end of this article. It’s possible that the malware will be found in other devices but researchers have been looking for months and have not found any others yet. If you don’t have one of those specific devices, this doesn’t affect you.

•  A few days ago the FBI seized a key domain that the bad guys required to control the hacked routers. As a result, the FBI is confident that the malware cannot be reactivated after an infected router is rebooted. If you have one of the devices on the list and you reboot it, there might still be a portion of the malware on the device but it cannot be accessed by the bad guys or used to do anything awful.

•  Although this malware has been spotted by researchers in 54 countries around the world, the large-scale attacks observed recently have been directed exclusively at the Ukraine.

Many small businesses and individuals use routers supplied by their ISP – Comcast, AT&T, et al. Those aren’t the ones affected by this malware. It’s up to the ISP to provide updates and to set up secure passwords.

If you have your own router, though, then take an extra second to stare at it.

Check the manufacturer and model number against the FBI list at the end of this article. If you have one of the affected models, rebooting it will protect you but there are additional steps to increase security, outlined in this article – reset the router to its factory-default settings, change the default password, install firmware updates, and set up wi-fi security. If you have a Netgear router on the list, Netgear advises also turning off remote management, according to Symantec. (Non-tech users should proceed with caution, especially with resetting the router.)

Even if you don’t have one of the affected devices, though, you may still have some work to do if your router is more than three years old, or if you haven’t updated it for a while, or if there’s any possibility that it is still set to the default password set by the manufacturer. Here’s an article about the importance of replacing old routers, updating the firmware regularly, and especially changing the default password.

The bad guys are out there. Security matters. If you’re not sure, ask your friendly IT support person to help you stay safe.

 


Is there anything interesting to know about this malware?

There are a few interesting details about what the malware does, and how it does it.

Cisco’s paper outlines many of the technical details about the malware. They published before their research was complete because they could see evidence of large-scale attacks in the Ukraine in the last three weeks. They still don’t know how the malware is installed on the routers, but all of the affected models had “well-known, public vulnerabilities.” (Two of the Netgear routers, the R7000 and R8000, had already been the subject of a CERT advisory in 2016 urging everyone to stop using them.) The researchers don’t believe the bad guys were using any unknown zero-day vulnerabilities.

The malware installs a controller on the router that by itself is not set up to do anything destructive. That controller then reaches out to online servers and downloads additional components that collect data and run advanced attacks. Those additional components can collect login credentials and report on your web browsing to the bad guys. The researchers also found that the malware could respond to a command that would permanently disable the router, killing Internet access for all the devices worldwide or just for a focused region – like, say, the Ukraine.

Once installed on the router, the controller first checks for specific images hosted on Photobucket.com. The images included IP addresses hidden in the metadata, telling the malware where to locate the servers with the rest of the malware. My favorite detail: the images were hosted in Photobucket libraries with names like photobucket[.]com/user/katyperry45/library, photobucket[.]com/user/jeniferaniston1/library, and photobucket[.]com/user/amandaseyfried1/library.

If the malware can’t find the images (and they have now been removed from Photobucket), the malware has an emergency fallback: it looks for instructions at the web address ToKnowAll[.]com. On Wednesday May 23, a federal judge issued an order authorizing the FBI to take over the domain name.

The New York Times reports: “Now that the domain is under F.B.I. control, any attempts by the malware to reinfect a compromised router will be bounced to an F.B.I. server that can record the I.P. address of the affected device.” That seems a bit odd but the FBI promises it will only use that knowledge for noble and good reasons. The Daily Beast provides a few more details:

“According to the court filings, the FBI is collecting the Internet IP addresses of every compromised router that phones home to the address, so agents can use the information to clean up the global infection.

“ ‘One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs,’ said Thakur. ‘Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices.’

“The court order only lets the FBI monitor metadata like the victim’s IP address, not content. As a technical matter, Thakur said there’s no danger of the malware sending the FBI a victim’s browser history or other sensitive data. ‘The threat capability is purely to ask for additional payloads,’ he said. ‘There is no data that is leaked from these routers to the domain that is now controlled by an agency.’ ”

So the FBI is collecting hundreds of thousands of IP addresses of compromised routers – but it’s doing it to help us. Nothing to worry about there. Whew!

Be careful out there!

 


Devices known to be vulnerable to the VPNFilter malware

LINKSYS DEVICES:

E1200
E2500
WRVS4400N

MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS:

1016
1036
1072

NETGEAR DEVICES:

DGN2200
R6400
R7000
R8000
WNR1000
WNR2000

QNAP DEVICES:

TS251
TS439 Pro

Other QNAP NAS devices running QTS software

TP-LINK DEVICES:

R600VPN

Share This