In a very rare move, the FBI issues a warning to reboot your home and office routers now! Americans with internet routers in their homes or offices should reboot their routers immediately after the agency discovered hundreds of thousands of routers had been compromised by “foreign actors” (their wording, not ours).
The FBI recommends in this public service announcement issued Friday any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.
The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer.
UPDATE: Researchers from Cisco’s Talos security team first disclosed the existence of the malware this past Wednesday. Their report details that the malware infected more than half a million devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. The malware had a name that IT folks would not even suspect was malware… VPNFilter. The malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot.
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated and Cisco’s report states “In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have.”
Since routers and NAS devices typically receive no antivirus or firewall protection and are directly connected to the Internet, it is hard to protect them. While the researchers still don’t know exactly how the devices are getting infected… they state that almost all of those targeted have known public exploits or default credentials that make compromise easy. Antivirus provider Symantec issued its own advisory last Wednesday. It identified the targeted devices as:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
What to do?
Per ARSTechnica.com, both Cisco and Symantec are advising users of any of these devices to do a factory reset. Unfortunately, these resets wipe all configuration settings and most of us will not be able to reset the configurations (which means we won’t be able to access the internet!). If you do decide to do that factory reset, usually you push a button on the back of the device for five to 10 seconds. But, alternatively, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.
Other actions you should take include: changing all default passwords, be sure your devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of “some” router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.
Cisco researchers urged both consumers and businesses to take the threat of VPNFilter seriously.