The FBI is urging home users to reboot their routers due to an investigation that revealed more than 500,000 routers in at least 54 countries that have been infected by a Russian hacker group, Fancy Bear. Fancy Bear developed a counter operation malware known as VPNFilter. Currently, VPNFilter uses known vulnerabilities to infect small office/home routers. Brands infected include: Linksys, MikroTik, Netgear, TP-Link, as well as QNAP network-attached storage (NAS) routers. The FBI has been investigating the botnets installed by VPNFilter since August 2017, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware.
How did VPNFilter get onto my Router?Many routers are still using default credentials and/or have known exploits. This occurs most often in older routers or firmware.
What does VPNFilter do to an infected router?First, it installs an order to maintain a presence on the infected router. It is then capable of file collection, command execution, data exfiltration, and router management. The added modules can spy on your internet activity/traffic, steal website credentials as well as a multitude of additional monitoring tasks.
What do I do with my infected router!?!Reboot immediately. This will temporarily remove the destructive component of VPNFilter. Although this does not guarantee that your router will not be re-infected again.
So, Phase 1 of VPNFilter persists even after a reboot?Yes. Performing a hard reset of the router will restore the router to factory settings and in most cases will wipe it clean. As mentioned, it is not guaranteed. With most routers a hard reset can be done by pressing and holding a small reset switch when power cycling the router. Please note that any configuration details or credentials stored on the router should be backed up as they will be wiped by a hard reset.
List of known infected routers*:
- TS439 Pro
- Other QNAP NAS devices running QTS
* NOTE: Other routers maybe infected but are not yet known at this time.
Please use the recommend steps below:
- Reboot and/or Reset to factory settings, by pressing and holding a small reset switch when power cycling the router.
- Create a strong password for the login account on the router.
- Update the firmware, when you are login to your router look for the system updates.
- If the router is WIFI enabled, make sure WPA2 is enabled. Turn off remote router administration.