At least 500,000 internet routers across the globe have been infected with malware that can "self-destruct" and brick the devices, Cisco warned on Wednesday.
The malware, dubbed VPNFilter, has hit Wi-Fi and broadband routers from Netgear, Linksys, and TP-Link, among others, in an apparent attempt to force entire populations offline. Although the malware has been detected in at least 54 countries, it's been spreading at an "alarming rate" in the Ukraine, suggesting a cyber attack against the country is imminent, Cisco's Talos security group said in a blog post.
Talos hasn't completed its research into the malware, but said it was necessary to warn the public as attackers seek to expand their footprint. On May 8 and May 17, for example, Talos noticed a spike in new infections in the Ukraine.
On Wednesday, Ukrainian authorities issued an alert, warning the public of a possible large-scale cyberattack on state-owned sectors and private companies on the eve of a major soccer match in Kiev.
Talos declined to speculate who might be behind the malware, but the incident is raising suspicions that Russia is involved. VPNFilter shares code with another infamous malware strain known as BlackEnergy, which targeted the electric grid in Ukraine in late 2015, leaving homes in the country briefly without power. Ukrainian authorities blamed that attack on the Russian government.
VPNFilter spreads by exploiting well-known public vulnerabilities in different routers. Earlier this month, Talos noticed that existing infected devices were scanning the internet for more vulnerable routers to infect in over 100 countries.
What makes VPNFilter particularly menacing is that the malware is hard to remove; it persists even after a reboot. Once the malware gains a foothold, it can download other programs that can collect data that flows through the router, making it ideal for cyberespionage. But VPNFilter can also download a self-destruct capability, which bricks the router using a special "kill" command.
"In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have," Talos said. "We are deeply concerned about this capability."
How can you protect yourself from the threat? Although the malware can persist even after a reboot, restarting your router will temporarily erase the data-collecting and self-destructing capabilities of the malware. Those features will remain absent until the hacker's command and control server orders the malware to download the programs again.
Symantec suggests that a "hard reset," which restores a router's factory settings, should completely remove the malware. "With most devices this can be done by pressing and holding a small reset switch when power cycling the device," the security firm said. "However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset."
To truly protect your router, you'll have to download patches from the vendor, assuming they're available. Cisco has reached out to the affected router makers about the VPNFilter malware. Netgear published a guide for customers on how they can patch their routers and recommends that users change the default password on the devices.