Have you tried turning it off and on again?
The FBI sent out an urgent bulletin advising anyone with a home or small office internet router to immediately turn it off and then turn it on again as a way to help stop the spread of a malware outbreak with origins in Russia.
The warning was sent just before the Memorial Day holiday weekend in the United States — when fewer of us are paying attention. So here it is again.
Here’s the FBI internet crime bulletin in full:
FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE
SUMMARY
The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.TECHNICAL DETAILS
The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.THREAT
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.DEFENSE
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.
From analysis of the FBI bulletin at NBC News:
“More than half a million routers have been identified already as being compromised, so I think there are a significant number of devices that have been affected and it is difficult to estimate how many devices could be affected in the coming days or week,” Shuman Ghosemajumder, chief technology officer at Shape Security told NBC News.
The 500,000 affected devices Ghosemajumder mentioned come from an analysis performed by Talos, the security arm of Cisco. The company also found the attack present in at least 54 countries.
Devices manufactured by Linksys, MikroTik, Netgear and TP-Link were among those found to have been affected, according to the Talos report. While the initial point of infection is unknown for VPNFilter, it has been quietly spreading since at least 2016, according to researchers.
Many of the infected devices have known public exploits and use default credentials, meaning that if someone were to set up their home router out of the box and they never changed the password or updated the firmware, they could be at a higher risk.
“If you have an older router, the odds are greater it may have shipped with a standard password which is the same across all types of the device. Change the router password, make sure the firmware is update and in some cases, even replace the router,” Ghosemajumder said.