Update 6/7/18: Cisco's Talos has released additional details regarding VPNFilter, including a longer list of affected routers and possible attacks.
Your gateway to the Internet may be the portal that foreign hackers are using to snatch your data. The FBI recently issued a security notice warning that all home and small office routers should be rebooted after Cisco’s Talos group discovered sophisticated Russian-linked “VPNFilter” malware infecting at least 500,000 networking devices.
Here’s what you need to know about VPNFilter and the FBI’s guidance to reboot your router—which might not even safeguard against the malware completely.
What’s the threat?
Since all your Internet and local network traffic flows through your router, it can be pretty severe.
“VPNFilter is able to render small office and home office routers inoperable,” the FBI warns. “The malware can potentially also collect information passing through the router.”
Routers are especially ripe targets for hackers because they usually connect directly to the Internet and aren’t often protected by your PC’s antivirus or other security solutions. Most people don’t install router firmware updates, either, which can leave vulnerabilities exposed. VPNFilter also encrypts its network traffic, which can make detection even more difficult, the FBI says.
Most recent infections observed by Cisco occurred in Ukraine, however, and the Justice Department connected VPNFilter to “Sofacy Group,” an espionage group associated with Russia.
That doesn't sound so bad.
It gets worse. In a follow-up post, Cisco's Talos has discovered "a new stage 3 module that injects malicious content into web traffic as it passes through a network device." Better known as a "man-in-the-middle" attack, this means that bad actors can use this vulnerability to intercept network traffic and inject malicious code without the user's knowledge. That means a hacker can manipulate what you see on your screen while still performing malicious tasks on your screen. As Craig Williams, a senior technology leader and global outreach manager at Talos, explained to Ars Technica, "They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.” That's a much greater threat than initially feared.
What routers are affected?
The FBI’s security notice suggests that all router owners reboot their devices. Additionally, Cisco’s Talos group says that “Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.”
So you should reboot your router no matter what. That said, Symantec released the following list of routers and NAS devices known to be susceptible to VPNFilter. Some are popular affordable models, and one (the Netgear WNR1000) is provided to Comcast customers in some circumstances.
- ”Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Just this week, however, Cisco issued a warning that the threat goes beyond even those models, and includes a wider swath of routers manufactured by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. So once again: The FBI and Cisco’s crack security squad suggest that we all reboot our routers, even if it's not on this list.
How do I reboot my router?
Rebooting your router eradicates what Cisco calls the “Stage 2” and “Stage 3” elements of VPNFilter—the destructive part of the malware.
Rebooting your router is easy. Simply unplug it from the wall, wait 30 seconds, and plug it back in. Done!
Is there anything else I should do to stay safe?
Yes. Let’s start with the easy steps.
The FBI and some hardware makers recommend disabling remote management features on your router, which are off by default in most cases. You’ll also want to change your router’s default login credentials, swapping in a strong, unique password—not one you use for any other websites or services. PCWorld’s guide to the best password managers can help if you aren’t using one already.
Even though routers aren’t typically protected by your PC’s antivirus, Symantec says its software can detect VPNFilter. Running security software on your computer helps it stay as safe as possible, and this episode serves as a reminder that you should be doing it. PCWorld’s guide to the best antivirus for Windows PCs can help you pick the best for your situation.
Now for the bad news.
Should I factory reset my router?
What makes VPNFilter so sophisticated is its “Stage 1” element, which can persist even through a reboot and then contact the hackers to reinstall the other stages of the malware. The Justice Department seized a domain that the malware used to install VPNFilter’s later stages on infected PCs, but that doesn’t mean the threat is eliminated as it also uses other methods to connect with the hackers.
The only way to fully remove the malware is by performing a factory reset of your router and updating it to the latest firmware revision available, which will protect against known vulnerabilities. It’s a complicated procedure that will require you to reconfigure your network settings, but we’d recommend doing it if your router is on the list of devices known to be vulnerable to VPNFilter.
The exact procedure for resetting a router can vary, though it usually involves pressing a pin or the end of a paperclip into a small pinhole button on the hardware, followed by connecting the device to a PC via ethernet to complete the initial configuration. Linksys, MikroTik, Netgear, QNAP and TP-Link have all posted instructions explaining how to factory reset your routers and otherwise protect against VPNFilter.
Performing a little prep work beforehand can make the experience less of a hassle. Although you’ll want to change your router’s default administrative username and password, jot down your existing network name(s) and password before you reset your hardware. When you create a new network after factory resetting your router, it’s safe to use the same Wi-Fi name and passwords as before. Doing so will let all your devices reconnect easily.