The FBI has seized control of a massive botnet believed to have been controlled by hackers working for the Kremlin. The Malware, known as VPNFilter, was discovered by researchers working at CISCO Talos. VPNFilter permits hackers to hijack routers turning them into a malicious VPN network used by hackers to mask their true IP address during secondary attacks.
According to a report released yesterday, the payload has been in the wild since at least 2016. In that time, it is believed to have infected around 500,000 machines across 54 countries. According to Talos, the sophistication of the modular malware system likely means it was a state-sponsored attack.
FBI agents have claimed that the threat actor is likely to have been Sofacy - a hacking collective controlled by the Kremlin that has been known under a multitude of names over the past five years (APT28, Sednit, Fancy Bears, Pawn Storm, Grizzly Steppe, STRONTIUM, and Tsar Team). From the affidavit:
"The Sofacy group is a cyber-espionage group believed to have originated from Russia. Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value."
As with other router based exploits, VPNFilter employs a multi-stage attack vector. Once in place on a victim’s router, it communicates with a Command and Control (CnC) server in order to download additional payloads.
Stage two of the exploit permits the hackers to intercept traffic, steal data, perform file collection, and execute commands. It is also possible that additional payloads may have been delivered infecting network devices attached to the router. Though according to Talos:
“The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package.”
FBI take over
After monitoring the situation for months, security researchers working with the FBI were able to pinpoint the domain name being used by the sophisticated hackers. According to the affidavit filed yesterday, agents had been on the case since August when they were voluntarily given access to an infected router by a Pittsburgh resident.
After news of the infection was made public, the FBI acted quickly to gain a warrant from a Pennsylvania judge to seize control of the toKnowAll.com domain.
Now that the CnC domain is under FBI control, consumers around the world with at-risk routers are being asked to reboot their device in order to make it phone home. This will give the feds a clear picture of exactly how many devices around the world were affected.
The FBI said it intends to make a list of all infected IP addresses in order to contact ISPs, private, and public sector partners, to clean up after the global infection - before a new malicious CnC server can be set up to reestablish the botnet.
Do you trust the FBI?
While for most people the news might seem like a success story for the good guys, as a digital privacy advocate, it is hard not to hear alarm bells ringing. The team at ProPrivacy.com feels a little uneasy about the FBI’s acquisition of this powerful botnet. While the FBI could use the data gathered to inform infected parties and fix the situation, what's to stop them from using the botnet to deploy payloads of its own?
According to Vikram Thakur, technical director at Symantec,
“The court order only lets the FBI monitor metadata like the victim’s IP address, not content”. Thakur reckons that “there’s no danger of the malware sending the FBI a victim’s browser history or other sensitive data".
Given that the special agent's affidavit requested that the whole thing should be 'kept under seal' for 30 days to aid the investigation, one can't help but wonder whether the FBI's recent rhetoric really matches its agenda.
Factory reset or a new router?
For this reason, if you truly value privacy, and perhaps you actually prefer the idea of sending your data to hackers in the Kremlin rather than the feds - we would recommend doing a bit more than just switching your router on and off. Symantec has advised:
"Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices, this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset."
However, the only way to be absolutely certain that your router hasn't been compromised by the US government may be to go out and buy a new one.
Here is a list of all known affected routers and QNAP network-attached storage (NAS) devices:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Opinions are the writer's own.
Title image credit: Official VPNFilter image from Talos
Image credits: Dzelat/Shutterstock.com, WEB-DESIGN/Shutterstock.com