ALERT: “VPN Filter” Malware Attack

The FBI has requested that all home and small businesses with a router reboot them to thwart a worldwide malicious malware attack. The malware, known as “VPN Filter” is believed to be connected to the Russian military and has infected approximately 500,000 network devices worldwide. The malware is extremely modular and flexible allowing the attacker to use the network devices in any number of ways including infecting other targets, stealing website credentials, or to rendering the device completely unusable. The FBI hasn’t released information yet on how many US devices are compromised but has said it is a significant number. Devices known to be vulnerable are home and small office routers made by TP-Link, MikroTik, Netgear, and Linksys, as well as QNAP NAS devices.

What You Should Know
The FBI has been able to disrupt the attack and have determined that you can eliminate its biggest threat simply by rebooting your router. Here are some details on how this malware works and what you should do to fully protect yourself. “VPN Filter” is a multi-stage malware attack in which the first stage installs code that simply tries to locate a server which contains the more malicious stage 2 of the attack. Rebooting your device does not remove the stage 1 malware; if it is installed on the device it will keep looking for that stage 2 server. If it finds that stage 2 server, it downloads and runs additional code that can collect data and execute instructions. Once stage 2 malware is running the attacker can proceed to stage 3 in which they can run a variety of other malware plugins depending on what they want your router to do. Happily, the stage 2 and stage 3 malware disappear when the devices are rebooted. And the mechanisms that stage 1 uses to find the stage 2 server seem to have been thwarted. Notably, the FBI seized the domain name of the stage 2 server so now when stage 1 tries to reach stage 2 it goes to the FBI, not Russia. The court order that allowed the FBI to seize the domain name only allows them to collect IP information on the infected devices, no other sensitive data. And it does not give the FBI the ability to control any of the stage 2 or stage 3 malware, it just allows them to see what IP addresses are asking for that malware. The FBI uses this information to work with ISP’s to try and clean up the infection.

What You Should Do
To disable the most malicious aspects of this malware attack, just take a few moments and reboot your home and small office network routers. If you want to ensure that your device isn’t infected with stage 1 of the malware you should reset it to factory defaults, change the administrator password, and install the latest firmware patches. If your ISP manages your router you may need to work with them to determine if your device is vulnerable and how to clean the infection.

These types of problems are one of the best reasons to have a managed service provider as part of your business’s IT management and maintenance infrastructure. Fuse Networks keeps a close eye on the latest in network security, including any new threats to your business’s data or patches that need to be implemented. We’ll do whatever it takes to keep your business’s technology as secure and up to date as possible.

Your business won’t have to worry about any aspect of IT maintenance, and we can even help your internal team with implementation projects or technology support aspects of running your organization. To learn more, reach out to us at 855-GET-FUSE (438-3873).