The FBI has disrupted a network of half a million routers committed by the Russian hacker group believed to have penetrated the Democratic National Committee and the Hillary Clinton campaign during the 2016 elections, according to reports.

The group of hackers, known as "Fancy Bear", has been using a malware program called "VPN Filter" to compromise the home and small office routers created by Linksys, MikroTik, Netgear and TP-Link, as well as the devices storage connected to the QNAP network. .

The VPN filter is "particularly worrisome" because malware components can be used to steal the credentials of the website and to point to the protocols of industrial systems, such as those used in the configuration of utility and manufacturing, explained Cisco Talos threat researcher, William Largent, in a message posted on Wednesday.

"The malware has a destructive capability that can disable an infected device," he said, "that can be activated on individual or mass machines, and has the potential to cut off Internet access for hundreds of thousands of victims around the world." .

ZOHO - Click for more

Malware neutralizer
The FBI on Tuesday obtained a court order from a Pittsburgh federal magistrate to take control of the Internet domain used by Russian hackers to manage the malware, The Daily Beast reported.

The office, which has been studying the malware since August, discovered a key weakness in the software, according to the report. If a router is rebooted, the core code of the malware remains on one device, but all the applets it needs for malicious behavior disappear.

After a reboot, the malware is designed to go online and reload all its nasty add-ons. By taking control of the domain where those unpleasant reside, the FBI neutralized the malicious software.

The FBI has been collecting IP addresses from infected routers so that it can clean up infections worldwide, according to The Daily Beast.

Promising strategy
The strategy used by the FBI, suffocating the ability of a botnet to reactivate by mastering its domain, shows promise as a method to combat the actors of global threats.

With this, the police can eliminate a threat without seizing malicious resources located in a foreign country. Taking advantage of such resources can be a great challenge for law enforcement agencies.

"Unless the threat evolves to not use DNS, which is very unlikely, the same mitigation strategy would be successful and could be used continuously," Morey Haber, CTO of BeyondTrust, told TechNewsWorld.

Good luck
According to Leo Taddeo, CISO of Cyxtera and former special agent in charge of the special operations of the cybernetic office of the New York Office of the FBI, good fortune was on the side of law enforcement in this confrontation with criminals of the Kremlin.

"In this case, the FBI was able to deal a severe blow to the malware infrastructure because the hacking group used Verisign, a domain name registrar under the jurisdiction of the United States," Taddeo told TechNewsWorld.

"If the piracy group used a Russian domain registrar, the court order would probably be delayed or ignored," he said.

However, using a Russian domain name is risky, which is why hackers did not.

"Routers that regularly invoke a .ru domain after rebooting can be identified as a risk by ISPs or other companies that analyze outgoing traffic," said Taddeo.

"In the next round, hackers can configure the routers to call a registered command and control server outside the jurisdiction of the US and in a way that is difficult to detect," he added. "This will make the job of the FBI much more difficult."

What consumers can do
Consumers can disable the VPN filter by simply rebooting their routers. However, even after a reboot, the remnants of the malware will remain, warned Mounir Hahad, head of the Juniper Networks threat laboratory.

"It is important that consumers apply any patch provided by device manufacturers to completely eliminate the infection," he told TechNewsWorld.

Consumers should also enable automatic firmware updates, Haber cautioned, noting that "most new routers admit it."

In addition, they must make sure that the firmware of their router is up to date and that their router has not been orphaned.

"If your router is the end of the useful life, consider replacing it," he suggested. This is because security issues discovered after a manufacturer terminates support for a product will not be corrected.

Awakening the router manufacturers
The routers have been attacked by hackers, which has led the industry to start taking security more seriously.

"Router manufacturers are incorporating more security into their routers, and we expect these types of attacks to be anticipated in the future," Gartner security analyst Avivah Litan told TechNewsWorld.

The router manufacturers have been paying attention to the reported vulnerabilities and doing everything possible to provide patches, said Hahad of Juniper.

"They are also moving away from the practice of providing usernames and passwords that are common in all units sold," he added. "Some providers now have unique passwords printed on a label inside the device package."

While safety awareness is increasing in the industry, the adoption of best practices remains uneven, said Haber of BeyondTrust.

"Many have added automatic update capabilities, notifications when there is new firmware available and even malware protection," he said.

"Unfortunately, not all have done so, and some are very lax in known threat updates," Haber observed. "Yes, there is progress, but consumers should investigate and verify if a provider is aware of security and offers timely updates."