This is pretty dense. Basically, Russia has compromised over 500,000 personal routers, and the FBI just got a court order to seize the callback domain that allows the routers to communicate with their command center. If your router is infected, restarting will now prevent it from pinging the Kremlin and reactivating the malware.
Here's the lay summary.
TALOS blog (warning: technical)
Here's the lay summary.
TALOS blog (warning: technical)
This is a non-comprehensive list of devices affected.FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets.
The FBI counter-operation goes after “VPNFilter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. On Wednesday security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the United States.
VPN Filter uses known vulnerabilities to infect home office routers made by Linksys, MikroTik, NETGEAR, and TP-Link. Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. One plug-in lets the hackers eavesdrop on the victim’s Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.
Linksys Devices:
E1200
E2500
WRVS4400N
Mikrotik RouterOS Versions for Cloud Core Routers:
1016
1036
1072
Netgear Devices:
DGN2200
R6400
R7000
R8000
WNR1000
WNR2000
QNAP Devices:
TS251
TS439 Pro
TP-Link Devices:
R600VPN