Are you a victim of this ongoing global attack?

We are just coming off a long holiday weekend in the United States, which means that many Americans haven’t heard the latest alert from US-CERT and other entities regarding the ongoing VPNFilter malware attack on small and home office routers. Here’s Fleming Shi discussing the attack with Scott Budman of NBC Bay Area:

The FBI announced last week that users around the world should reboot their routers and network storage devices to disrupt the botnet built by this malware. The agency states that the botnet is under the control of the Sofacy Group, and is using several stages of malware. The first stage persists through a reboot, and the second stage contains the payload and can even brick the device if instructed. The final stage includes packet sniffers and other tools to monitor traffic and capture credentials and allows the second stage malware to communicate using Tor.

Brian Krebs has an excellent post on what devices are affected and how the malware works on his security blog here. He also has some information on how other technologies such as WPS can play into the vulnerabilities of these routers. If you are responsible for securing networked electronics, this is a must-read.

The best action to take is to power down your SOHO routers immediately, to interrupt the payload. Wait for about a minute and then power back up. Apply the latest patches if available and then make sure that none of your devices are using default credentials. Additionally, Netgear advises customers to turn off remote management on the router, and Linksys recommends factory resets on all infected routers.

The FBI has also seized part of the malware command-and-control infrastructure and is working with domestic and international partners to identify and expose the actors behind VPNFilter.

If you’d like to connect with Fleming Shi, SVP of Technology at Barracuda, you can find him on LinkedIn here.

If you need help restarting your router or you are concerned about a possible infection that you cannot clear, contact the tech support team for your device. You may also be able to download a pdf of the user manual by searching the manufacturer’s website for the device model.