The FBI has warned that a malware product called VPNFilter has infected over 500,000 devices, including wireless routers and network-attached storage systems. Obviously, this is a major concern in our industry, and we want to help our customers keep their devices secure.
Here’s what the FBI’s Internet Crime Complaint Center wrote about the threat:
Cybersecurity researchers have identified foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office/home office (SOHO) routers. … The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recommend that owners of SOHO routers power cycle (reboot) SOHO routers and networked devices to temporarily disrupt the malware.
Read the full press release here.
What Does VPNFilter Malware Do?
According to the FBI, VPNFilter is capable of “collecting intelligence,” so if you have a compromised router, malicious actors might be able to track your actions online. While that’s a distressing thought, it’s the tip of the iceberg.
VPNFilter is capable of demolishing embedded Linux CPU architectures on network-attached storage devices. For businesses, this could result in catastrophic losses. The malware can reroute or block traffic and cause other issues that would disrupt normal business operation, so we’re most concerned about the malware’s impact on businesses at this time.
Nevertheless, all computer users should take this threat very seriously. VPNFilter can affect virtually any home internet router, including devices from Asus, TP-Link, Linksys, D-Link, and Netgear. That’s not a knock on those manufacturers, by the way—even the FBI is unsure of the precise infiltration mechanism used by VPNFilter.
How To Prevent VPNFilter Malware From Affecting Your System
The FBI recommends rebooting affected devices, which can disrupt the malware and prevent some of its malicious functionality. This does not completely remove the malware from the affected system, however.
- Search online for the latest version of your router’s firmware. This process varies between makes and models, but you can usually update the firmware from your device’s dashboard page. To access this page, open a web browser and type 192.168.1.1, 192.168.2.1, or 192.168.0.1 into the URL bar. Most routers use one of these addresses, but if none work, consult your router’s documentation (if you don’t have the manual handy, you can find it online by searching for your router’s model number).
- Look for a tab on the configuration page marked “Administration,” Configuration,” or “Firmware.” Follow the instructions for upgrading the firmware. You will temporarily lose internet access (via the router) during the upgrade.
- Search online for the latest version of your router’s firmware. This process varies between makes and models, but you can usually update the firmware from your device’s dashboard page. To access this page, open a web browser and type 192.168.1.1, 192.168.2.1, or 192.168.0.1 into the URL bar. Most routers use one of these addresses, but if none work, consult your router’s documentation (if you don’t have the manual handy, you can find it online by searching for your router’s model number).
- Next, perform a factory reset of your router. To make the process slightly easier, write down your router’s WiFi name and password so that you can restore these settings after the reset (that way, you won’t have to manually reconnect all of your WiFi devices).
Usually, you can reset your router by holding down a physical “reset” button for 10 seconds or so. If you’re uncomfortable with the process, consult your router’s documentation.
To be safe, we recommend following these steps regardless of whether your router is specifically identified as one of the compromised models (view a full list of those models below).
For more technical information on the VPNFilter threat, visit this blog from Cisco Talos.
LINKSYS DEVICES:
E1200
E2500
WRVS4400N
MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS:
1016
1036
1072
NETGEAR DEVICES:
DGN2200
R6400
R7000
R8000
WNR1000
WNR2000
QNAP DEVICES:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-LINK DEVICES:
R600VPN