The FBI has seized a domain that was used by hackers for their command and control server. Hackers controlled a botnet consisting of more than 500,000 routers and storage devices, that were infected with the VPN Filter malware. The American secret service received permission from a federal judge to take control over the domain.
(One of the vulnerable routers, the Linksys EA2500)
Experts link the VPN Filter malware to a Russian hacker group called Fancy Bear, because parts of the source code of the malware was used by that group before. Fancy Bear was reportedly also involved in hacks during the 2016 election in the United States, according to the website The Daily Beast.
VPN Filter has infected devices in 54 countries by abusing known vulnerabilities in Linksys, MikroTik, NETGEAR, and TP-Link routers and NAS devices from QNAP. Once the malware is installed, it reports back to a command and control server from which plugins can be installed. There is a large variety of plugins, to e.g. eavesdrop on the internet connection of the victim, to website credentials and even to cripple the infected device.
The FBI has been investigating the botnet. Part of the investigation was the router of an infected U.S. citizen of which the FBI monitored the traffic going in and out. This monitoring allowed the secret service to find a weakness in the malware, if the router is rebooted all plugins are removed and only the core malware remains. That malware is programmed to search for specific images hosted on Photobucket.com and when those are no longer available, the malware searches for a backup command and control server on the domain toknowall.com. Because the images are now removed from Photobucket, the toknowall.com domain became a key weakness.
Now the FBI controls the domain, the malware is unable to reactivate when a compromised device is rebooted. Also, all IP addresses that try to phone home to the, now removed, command and control server on toknowall.com are collected.
The FBI hopes to use the information to clean up the malware by informing ISPs about infected devices on their network. Some ISPs are able to automatically reboot the routers of its customers which would render the malware useless. Other ISPs might use the IP addresses to contact their customers asking them to manually reboot their router.
Devices that can be infected by VPN Filter are:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS versions 1016, 1036 and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- All QNAP devices running QTS
- TP-Link R600VPN
If your router or NAS is on this list it’s at least advisable to reboot the router. To completely remove VPN Filter, restore the device to factory settings.