FBI recommends rebooting routers to minimize VPNFilter risk.

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.



     AThe VPNFilter malware has infected over 500,000 devices around the world without the need for a zero-day vulnerability. While patching is still needed, for many users part of the fix could be to simply reboot their routers. At one time or another, most users have been told to simply reboot or power cycle a device to get the device working again. That's the same advice the FBI issued on May 25 to help organizations and individuals defend against a malware attack known as VPNFilter. The VPNFilter malware attack was first publicly disclosed on May 23 by Cisco's Talos cyber-security research division, warning that 500,000 networking devices globally have been infected. Among the devices impacted are routers from Linksys, MikroTik, NETGEAR and TP-Link, as well as QNAP network-attached storage (NAS) devices.

     The malware is able to collect information, exploit connected devices, and block network traffic. The size and scope of the infrastructure impacted by VPNFilter malware is significant, according to the FBI. According to Cisco Talos' analysis, all of the devices impacted by VPNFilter have known public vulnerabilities. Talos researchers further stated that VPNFilter did not use any zero-day vulnerabilities and only exploited devices that had not been patched for known issues. The VPNFilter malware has multiple uses and could be used to create a botnet that might lead to additional attacks. The Talos analysis found that the malware can potentially steal website credentials and also has a destructive capability that could make an infected device unusable.




     U.S. law enforcement officials have already acted to help disrupt the VPNFilter malware and its associated botnet. The U.S Department of Justice announced on May 23 that it seized the toknowwall.com internet domain that was suspected of hosting a command and control node for VPNFilter. Traffic intended for the seized domain is now being redirected to an FBI-controlled domain that captures the IP addresses of infected devices. The IP addresses are then being shared with the nonprofit ShadowServer Foundation, which is working with service providers to remediate the malware infections.

     The Sofacy Group, a hacking group which is also known as APT28 and Fancy Bear, has been credited with theVPNFilter malware according the Department of Justice. The group is suspected of operating out of Russia and has also been implicated in the 2016 attack against the Democratic National Committee. This joint action by the FBI, DOJ, and other partners sends a clear message that the U.S. Government will take action to alleviate the threats posed by them and to protect it's citizens and allies even when the possibility of arrest and prosecution is remote. As the technical capabilities of hackers evolve, the FBI and its partners will have to continue to rise to the challenge, placing themselves between the hackers and their intended victims.



     The reason why rebooting a system works is because it will remove non-stateful code that is running in a device's memory and return the device to a default status. When it comes to malware, there has been a growing trend in recent years for attacks to make use of what is known as file-less malware, malware that resides in memory and doesn't use a specific malware executable file that is stored on disk in order to run. Cisco's analysis found that VPNFilter has a two-stage infection process, with the first stage being capable of surviving a reboot. VPNFilter's first stage reaches out to command and control servers to get the second stage of the malware. With the Department of Justice's actions to take control of at least one of the main command and control nodes, the first stage attack has been somewhat disrupted. The second stage of the attack is the malware, which doesn't survive a system reboot. High-availability and always on connectivity without maintenance windows or downtime has been a prized attribute of IT departments for many years, and the idea that rebooting a device can fix problems has often been seen as a last resort solution. Part of good IT cyber-security strategy in 2018 should be to keep all IT devices and software updated and patched and, as the VPNFilter example now demonstrates, perhaps every so often consider rebooting devices as well.