The FBI is urging home users to reboot their routers due to an investigation that revealed more than 500,000 routers in at least 54 countries that have been infected by a Russian hacker group, Fancy Bear. Fancy Bear developed a counter operation malware known as VPNFilter. Currently, VPNFilter uses known vulnerabilities to infect small office/home routers. Brands infected include: Linksys, MikroTik, Netgear, TP-Link, as well as QNAP network-attached storage (NAS) routers. The FBI has been investigating the botnets installed by VPNFilter since August 2017, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware.
How did VPNFilter get onto my Router?
Many routers are still using default credentials and/or have known exploits. This occurs most often in older routers or firmware.What does VPNFilter do to an infected router?
First, it installs an order to maintain a presence on the infected router. It is then capable of file collection, command execution, data exfiltration, and router management. The added modules can spy on your internet activity/traffic, steal website credentials as well as a multitude of additional monitoring tasks.What do I do with my infected router!?!
Reboot immediately. This will temporarily remove the destructive component of VPNFilter. Although this does not guarantee that your router will not be re-infected again.So, Phase 1 of VPNFilter persists even after a reboot?
Yes. Performing a hard reset of the router will restore the router to factory settings and in most cases will wipe it clean. As mentioned, it is not guaranteed. With most routers a hard reset can be done by pressing and holding a small reset switch when power cycling the router. Please note that any configuration details or credentials stored on the router should be backed up as they will be wiped by a hard reset.List of known infected routers*:
LINKSYS:
- E1200
- E2500
- WRVS4400N
MIKROTIK:
- 1016
- 1036
- 1072
NETGEAR:
- DGN2200
- R6400
- R7000
- R8000
- WNR1000
- WNR2000
QNAP:
- TS251
- TS439 Pro
- Other QNAP NAS devices running QTS
TP-LINK:
- R600VPN
* NOTE: Other routers maybe infected but are not yet known at this time.
Please use the recommend steps below:
- Reboot and/or Reset to factory settings, by pressing and holding a small reset switch when power cycling the router.
- Create a strong password for the login account on the router.
- Update the firmware, when you are login to your router look for the system updates.
- If the router is WIFI enabled, make sure WPA2 is enabled. Turn off remote router administration.