FBI Recommends Router Reboots to Limit VPNFilter Malware Risk

NEWS ANALYSIS: The VPNFilter malware has infected over 500,000 devices around the world without the need for a zero-day vulnerability. While patching is still needed, for many users part of the fix could be to simply reboot their routers.


At one time or another, most IT users have been told that a possible solution to get technology working again is to simply reboot or power-cycle (unplug-replug) a given device. That's the same advice the FBI issued on May 25 to help organizations and individuals defend against a malware attack known as VPNFilter.

The VPNFilter malware attack was first publicly disclosed on May 23 by Cisco's Talos cyber-security research division, warning that at least 500,000 networking devices globally have been infected. Among the devices impacted are routers from Linksys, MikroTik, NETGEAR and TP-Link, as well as QNAP network-attached storage (NAS) devices.

"The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic," the FBI warned in its advisory. "The size and scope of the infrastructure impacted by VPNFilter malware is significant." 

According to Cisco Talos' analysis, all of the devices impacted by VPNFilter have known public vulnerabilities. Talos researchers further stated that, in their view, VPNFilter did not use any zero-day vulnerabilities and only exploited devices that had not been patched for known issues.

The VPNFilter malware has multiple potential uses and could be used to create a botnet that in turn might lead to additional attacks. The Talos analysis found that the malware can potentially steal website credentials and also has a destructive capability that could make an infected device unusable.

Law Enforcement

U.S. law enforcement officials have already acted to help disrupt the VPNFilter malware and its associated botnet. The U.S Department of Justice announced on May 23 that it seized the toknowwall.com internet domain that was suspected of hosting a command and control node for VPNFilter.

Traffic intended for the seized domain is now being redirected to an FBI-controlled domain that captures the IP addresses of infected devices. The IP addresses are then being shared with the nonprofit ShadowServer Foundation, which is working with service providers to remediate the malware infections.


The VPNFilter malware is attributed to a hacker group the Department of Justice referred to as the "Sofacy Group," which is also known by security vendors as APT28 and Fancy Bear. The group is suspected of operating out of Russia and has also been implicated in the 2016 attack against the Democratic National Committee (DNC).

"This action by the FBI, DOJ, and our partners should send a clear message to our adversaries that the U.S. Government will take action to mitigate the threats posed by them and to protect our citizens and our allies even when the possibility of arrest and prosecution may not be readily available," FBI Special Agent in Charge David J. LeValley stated. "As our adversaries' technical capabilities evolve, the FBI and its partners will continue to rise to the challenge, placing themselves between the adversaries and their intended victims."

Why Rebooting Works

In many cases, the reason why power-cycling or rebooting a system works is because it will remove non-stateful code that is running in a device's memory and return the device to a default status. When it comes to malware, there has been a growing trend in recent years for attacks to make use of what is known as "file-less malware"—malware that resides in memory and doesn't use a specific malware executable that is stored on disk in order to run.

Cisco's analysis found that VPNFilter has a two-stage infection process, with the first stage being capable of surviving a reboot. VPNFilter's first stage reaches out to command and control servers to get the second stage of the malware. With the Department of Justice's actions to take control of at least one of the main command and control nodes, the first stage attack has been somewhat disrupted. The second stage of the attack is the malware, which doesn't survive a system reboot.

High-availability and always-on connectivity without maintenance windows or downtime has been a prized attribute of IT departments for many years, and the idea that simply power-cycling a device can fix problems has often been seen as a solution of last resort.

Part of good IT cyber-security hygiene in 2018 should be to keep all IT devices and software updated and patched and, as the VPNFilter example now demonstrates, perhaps every so often consider power-cycling and rebooting devices as well.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.