The FBI took action against Russian hackers late Wednesday, obtaining a court order that allows it to seize a domain that is part of the VPNFilter malware’s command-and-control infrastructure. This essentially redirects the malware’s attacks to an FBI-controlled server.
“The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely,” said FBI Special Agent in Charge Bob Johnson in a statement. “These hackers are exploiting vulnerabilities and putting every American’s privacy and network security at risk.”
Cisco’s Talos threat researchers first provided details about the VPNFilter malware yesterday. It infected at least 500,000 routers and storage devices globally, according to a Talos blog post. APT28, a Russian-state sponsored hacking group that is also known as Fancy Bear, hit 54 counties, including the U.S., with the malware.
Fancy Bear is one of the two Russian groups responsible for hacking incidents during the 2016 U.S. presidential campaign.
Affected devices include Linksys, MikroTik, NETGEAR, and TP-Link routers, and QNAP network-attached storage (NAS). Some of these vendors including NETGEAR posted steps customers should take to update firmware and protect against the malware.
How VPNFilter Works
First it installs stage 1. The malware uses this to maintain a persistent presence on the device and to contact a command-and-control server to download malicious plugins.
Stage 2 and stage 3 are where the destructive stuff starts happening. The second stage allows the malware to steal data and take control of the device, rendering it unusable. Stage 3 modules act as plugins for stage 2. “These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols,” according to Symantec. “Another Stage 3 module allows Stage 2 to communicate using Tor.”
Security researchers recommend rebooting infected devices, installing the latest available patches and firmware updates, and changing default passwords.
Rebooting infected devices immediately removes the malicious stage 2 and stage 3 components. But Stage 1 will remain on the device, which means hackers can reinstall the other stages.
The FBI action goes after stage 1. Instead of reporting back to the command-and-control infrastructure — allowing hackers to re-install the plugin’s information and wipe out devices — the code now connects back to FBI servers. This allows the bureau to capture infected devices’ IP addresses.
“A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs),” according to a U.S. Department of Justice statement.