The FBI's urgent request: Reboot Your Home Router!

The FBI is urging home users to reboot their routers due to an investigation that revealed more than 500,000 routers in at least 54 countries that have been infected by a Russian hacker group, Fancy Bear. Fancy Bear developed a counter operation malware known as VPNFilter. Currently, VPNFilter uses known vulnerabilities to infect small office/home routers. Brands infected include: Linksys, MikroTik, Netgear, TP-Link, as well as QNAP network-attached storage (NAS) routers. The FBI has been investigating the botnets installed by VPNFilter since August 2017, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware.

How did VPNFilter get onto my Router?

Many routers are still using default credentials and/or have known exploits. This occurs most often in older routers or firmware.

What does VPNFilter do to an infected router?

First, it installs an order to maintain a presence on the infected router. It is then capable of file collection, command execution, data exfiltration, and router management. The added modules can spy on your internet activity/traffic, steal website credentials as well as a multitude of additional monitoring tasks.

What do I do with my infected router!?!

Reboot immediately. This will temporarily remove the destructive component of VPNFilter. Although this does not guarantee that your router will not be re-infected again.

So, Phase 1 of VPNFilter persists even after a reboot?

Yes. Performing a hard reset of the router will restore the router to factory settings and in most cases will wipe it clean. As mentioned, it is not guaranteed. With most routers a hard reset can be done by pressing and holding a small reset switch when power cycling the router. Please note that any configuration details or credentials stored on the router should be backed up as they will be wiped by a hard reset.

List of known infected routers*:

LINKSYS:

  • E1200
  • E2500
  • WRVS4400N
MIKROTIK:

  • 1016
  • 1036
  • 1072
NETGEAR:

  • DGN2200
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000
QNAP:

  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS
TP-LINK:

  • R600VPN
* NOTE: Other routers maybe infected but are not yet known at this time.

Please use the recommend steps below:

  1. Reboot and/or Reset to factory settings, by pressing and holding a small reset switch when power cycling the router.
  2. Create a strong password for the login account on the router.
  3. Update the firmware, when you are login to your router look for the system updates.
  4. If the router is WIFI enabled, make sure WPA2 is enabled. Turn off remote router administration.