-Tom Lidikay

 

On friday, the FBI issued an advisory to consumers to reboot their home routers and network attached storage devices.

 

The advisory comes a few days after Cisco researchers uncovered the virus known as VPNFilter, a sophisticated (yes I am for once using the word un-ironically, as this is a bit interesting)  piece of attack software with multiple stages.

 

Stage One of the malware is a persistent piece that establishes a foothold into the routers firmware. It employs multiple command and control lines for redundancy, to ensure it can communicate with its home server to load the other stages. This stage persists through a reboot.

 

Stage Two provides the attacker more control over the device, and has many of the usual capabilities required, such as  file collection, command execution, data exfiltration and device management. It also posesses the capability of damaging the device firmware, and then issuing a reboot, permanently bricking the device for a “self destruct” function.

 

Stage Three consists of plugin modules to augment stage two’s capabilities, and ahis writing there are two known functions: A packet sniffer, for hijacking and snooping on traffic, and a communications module that allows the malware to communicate using TOR protocol.

 

Stages two and three live in memory, and so are wiped if the device is rebooted.

 

The main domain stage one reaches out to is the recently seized “toknowall.com” which is now in the hands of authorities. It is unknown at this time if there are backup servers to load malware stages, and this is one reason the reboots are being requested. This is under active investigation, and the public’s help would go a long way towards mitigating this attack.

 

If you would like to know more about the malware, I would suggest reading Cisco’s documentation on it (linked above). It seems to be a well developed and executed attack, which makes it incredibly dangerous to consumers.

 

Again, please Reboot your Routers and NAS devices.