The FBI has reminded the world it wants us to reboot our routers to try and help it identify VPNFilter-affected routers.
It first asked for reboots last Wednesday, May 23, in the Department of Justice VPNFilter media release, but on Friday added a stand-alone public service announcement emphasising its "IT Crowd" strategy.
FBI agents take aim at VPNFilter botnet, point finger at Russia, yell 'national security threat'READ MORE
Last week, Cisco Talos researchers announced the malware had infected around 500,000 home and small office routers and NAS devices. The company listed routers from Linksys, MikroTik, Netgear, and TP-Link, and QNAP storage systems, as targets of VPNFilter.
Talos noted that the malware was trying to target machines in the Ukraine, and the FBI attributed the attacks to the group known as “Sofacy” or “Fancy Bear”.
On Thursday, the FBI revealed it had seized a domain associated with the campaign, giving it the chance to drop malware traffic into a sinkhole.
The FBI said it would gather the IP addresses of infected devices, and pass those to the Shadowserver Foundation to disseminate among ISPs and non-US CERTs.
As we noted last Thursday, a reboot only removes part of the infection: the infected device will still try to contact command and control servers.
As at May 25, the date of the public service announcement, the FBI stills said the infection vector was unknown.
Vendor responses to VPNFilter so far include:
- Netgear said users should install the latest firmware for their devices, change the default admin password, and turn off remote management;
- MikroTik said the March 2017 version of its operating system disables the malware, and provided instructions about securing its devices;
- QNAP said suitable firmware has existed since last year, and reminded users to change the default admin password; and
- TP-Link said VPNFilter only affected its TP-R600VPN router, and linked users to firmware and security instructions.