The US Federal Bureau of Investigation released a public service announcement on Friday asking that “any owner of small office and home office routers power cycle (reboot) the devices.” The measure is meant to disrupt a potential cyberattack launched by agents of a foreign government against US citizens.
“Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware,” added the statement.
54 countries affected
The announcement comes after security experts at Cisco's cyberintelligence division Talos released a warning on Wednesday regarding the malicious software they called VPNFilter. Talos estimated the malware has infected about 500,000 consumer routers in 54 countries.
Talos also warned that "components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols" and that the malware had "the potential of cutting off internet access for hundreds of thousands of victims worldwide." The cyberintelligence unit said it would continue to publish findinds as their investigation progressed.
Linked to Russian government
Meanwhile, the Justice Department linked VPNFilter to Russian government-linked cyber espionage group Sofacy, also dubbed APT 28, x-agent, pawn storm or fancy bear. This coincides with Talos reports that the computer code used in the malware was very similar to the BlackEnergy malware responsible for large-scale attacks in Ukraine and with current ongoing attacks.
"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country," stated Talos. Ukraine is known for being the target of Russian hackers due to the Russian-backed rebellion currently threatening the country’s eastern provinces.
The Justice Department released on Friday a statement featuring quotes from several officials on the attacks. Assistant Attorney General for National Security John C. Demers said the Department "is committed to disrupting, not just watching, national security cyber threats using every tool at our disposal."
The announcement urged owners of SOHO and NAS devices to reboot their devices. Although rebooting will not stop the threat of reinfection, it will temporarily thwart infected devices from allowing the malware to collect data and proceed with other attacks while possibly assisting FBI officials in tracking the infection.
The statement also said the FBI is working with the non-profit Shadowserver Foundation to "disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers." "As our adversaries’ technical capabilities evolve, the FBI and its partners will continue to rise to the challenge, placing themselves between the adversaries and their intended victims," concluded FBI Special Agent in Charge David J. LeValley.
In the meantime, targeted router manufacturers Linksys, MikroTik, Netgear, QNAP and TP-Link have all released instructions on updating router software. Talos has also suggested router owners disable remote management settings.