FBI Warns Of Russian Computer Hackers, Recommends Router Reboots

Submitted by Dan Faraldo in Industry News

On behalf of the entire MeloTel team, we’d like to forward along a public service announcement that was released by the United States Federal Bureau of Investigation last Friday. It involves a critical security notice that is related to the vulnerabilities in many residential and small business routers deployed all over the world.

FBI recommends reboot to stop Russian malware.

According to the FBI, Russian computer hackers have compromised hundreds of thousands of computers around the world. To stop the spread of Russian malware, they are advising everyone in the world to reboot their routers.

“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices,” reads the public service announcement, “Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”

As reported by Jessica Vomiero of Global News, computer hackers have used “VPNFilter” malware to target at least a half million small-office and home-office routers in 54 different countries. It can perform a variety of functions including collecting information, blocking network traffic as well as exploiting devices in other ways.

The warning should not be taken lightly.

As the FBI warns, “VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.”

Here are the answers to a couple of Frequently Asked Questions surrounding this issue:

What does VPNFilter do to an infected device?

VPNFilter is a multi-staged piece of malware. Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.

Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.

There are several known Stage 3 modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.

What should you do if your device is affected?

Reboot your device immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will, at least, temporarily remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers. You should then apply the latest available patches to affected devices and ensure that none use default credentials.

For more information about what do to if your computer is hacked, please don’t hesitate to contact MeloTel at 1-888-MELOTEL or use the Live Chat feature on our website!