It Won’t Take Long. Reboot Your Router Now.
Cisco researchers revealed in a report last week that 500,000 routers are infected with malware called VPNFilter. The report says the threat has been growing since 2016.
The malware is from Russian state-sponsored hackers. When activated, VPNFilter wipes a portion of an infected device’s firmware. Hackers can destroy a single device or all infected devices.The FBI urges small businesses and households to immediately reboot routers. Later in this post, I have more steps you could take.
Also last week, the FBI obtained a warrant and seized a domain the hackers used to control infected routers. According to a Justice Department news release:
“The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely,” said FBI Special Agent in Charge Bob Johnson. “These hackers are exploiting vulnerabilities and putting every American’s privacy and network security at risk. Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updated and to change default passwords.”
According to USA Today:
What the FBI doesn’t yet know is how VPNFilter is getting on people’s systems.
There are several actions those with home routers can do to stop it. Turning the router on and off temporarily disrupts the malware and erases parts of it, though the router can be reinfected.
The best protection is to make sure the router’s software has been updated and a strong password has been set. Many routers come with default passwords such as “password” or “1234,” which the owners never reset, making them vulnerable to hacking.
For the more technically inclined, Talos suggested owners might disable remote management settings on their routers.
According to an article on ZDNet, known infected devices include:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- MikroTik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Is a Reboot Sufficient Protection?
Push the on / off button on your router to reboot it now. Please do this as a minimum protection. If your router is not listed, do it anyway. You actually cannot even know if you have VPNFilter on your router (whether or not your router is listed). Your chances are greater if you’ve never set your own secure password nor updated the router’s firmware.
Rebooting your router only partially destroys the malware and also means it’s vulnerable to reinfection. By leaving part of the malware on routers, the FBI will be able to trace activity at the website they seized (source: CNet article).
Many of us are going to prefer completely removing the malware. If you want to take extra precautions, the following advice comes from the last half of an article by Cnet (“The FBI says you should reboot your router? Should you?”):
…a factory-reset is the only sure-fire way to purge VPNFilter from a router.
The good news: It’s a pretty easy process, usually requiring little more than holding down a reset button on the router itself. The bad news: It’s a pain in the butt because when it’s done, you’ll have to reconfigure all your network settings. Check your model’s instruction manual for help with both steps.
We reached out to a couple of the aforementioned manufacturers to solicit their advice for combating VPNFilter. Linksys responded first…
Their advice: Apply the latest firmware (something that happens automatically in Linksys’ newer routers) and then perform a factory reset. Linksys also recommends changing the default password.
That’s our advice as well. By keeping your router patched with the latest firmware and using a unique password (rather than the one provided out of the box), you should be able to keep ahead of VPNFilter and other kinds of router-targeting malware.