May 28, 2018

The Federal Bureau of Investigation (FBI) is warning that a new malware threat has rapidly infected more than a half-million consumer devices. To help arrest the spread of the malware, the FBI and security firms are urging home Internet users to reboot routers and network-attached storage devices made by a range of technology manufacturers.

The growing menace — dubbed VPNFilter — targets Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office space, as well as QNAP network-attached storage (NAS) devices, according to researchers at Cisco.

Experts are still trying to learn all that VPNFilter is built to do, but for now they know it can do two things well: Steal Web site credentials; and issue a self-destruct command, effectively rendering infected devices inoperable for most consumers.

Cisco researchers said they’re not yet sure how these 500,000 devices were infected with VPNFilter, but that most of the targeted devices have known public exploits or default credentials that make compromising them relatively straightforward.

“All of this has contributed to the quiet growth of this threat since at least 2016,” the company wrote on its Talos Intelligence blog.

The Justice Department said last week that VPNFilter is the handiwork of “APT28,” the security industry code name for a group of Russian state-sponsored hackers also known as “Fancy Bear” and the “Sofacy Group.” This is the same group accused of conducting election meddling attacks during the 2016 U.S. presidential race.

“Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide,” the FBI said in a warning posted to the Web site of the Internet Crime Complaint Center (IC3). “The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.”

According to Cisco, here’s a list of the known affected devices:

LINKSYS DEVICES:

E1200
E2500
WRVS4400N

MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS:

1016
1036
1072

NETGEAR DEVICES:

DGN2200
R6400
R7000
R8000
WNR1000
WNR2000

QNAP DEVICES:

TS251
TS439 Pro

Other QNAP NAS devices running QTS software

TP-LINK DEVICES:

R600VPN

Image: Cisco

Unfortunately, there is no easy way to tell if your device is infected. If you own one of these devices and it is connected to the Internet, you should reboot (or unplug, wait a few seconds, replug) the device now. This should wipe part of the infection, if there is one. But you’re not out of the woods yet.

Cisco said part of the code used by VPNFilter can still persist until the affected device is reset to its factory-default settings. Most modems and DVRs will have a tiny, recessed button that can only be pressed with something small and pointy, such as a paper clip. Hold this button down for at least 10 seconds (some devices require longer) with the device powered on, and that should be enough to reset the device back to its factory-default settings. In some cases, you may need to hold the tiny button down and keep it down while you plug in the power cord, and then hold it for 30 seconds.

After resetting the device, you’ll need to log in to its administrative page using a Web browser. The administrative page of most commercial routers can be accessed by typing 192.168.1.1, or 192.168.0.1 into a Web browser address bar. If neither of those work, try looking up the documentation at the router maker’s site, or checking to see if the address is listed here. If you still can’t find it, open the command prompt (Start > Run/or Search for “cmd”) and then enter ipconfig. The address you need should be next to Default Gateway under your Local Area Connection.

Once you’re there, make sure you’ve changed the factory-default password that allows you to log in to the device (pick something strong that you can remember).

You’ll also want to make sure your device has the latest firmware updates. Most router Web interfaces have a link or button you click to check for newer device firmware. If there are any updates available, install those before doing anything else.

If you’ve reset the router’s settings, you’ll also want to encrypt your connection if you’re using a wireless router (one that broadcasts your modem’s Internet connection so that it can be accessed via wireless devices, like tablets and smart phones). WPA2 is the strongest encryption technology available in most modern routers, followed by WPA and WEP (the latter is fairly trivial to crack with open source tools, so don’t use it unless it’s your only option).

But even users who have a strong router password and have protected their wireless Internet connection with a strong WPA2 passphrase may have the security of their routers undermined by security flaws built into these routers. At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”

However, WPS also may expose routers to easy compromise. Read more about this vulnerability here. If your router is among those listed as using WPS, see if you can disable WPS from the router’s administration page. If you’re not sure whether it can be, or if you’d like to see whether your router maker has shipped an update to fix the WPS problem on their hardware, check this spreadsheet.

Turning off any remote administration features that may be turned on by default is always a good idea, as is disabling Universal Plug and Play (UPnP), which can easily poke holes in your firewall without you knowing it). However, Cisco researchers say there is no indication that VPNFilter uses UPnP.

For more tips on how to live with your various Internet of Things (IoT) devices without becoming a nuisance to yourself or the Internet at large, please see Some Basic Rules for Securing Your IoT Stuff.

Update, June 2, 10:30 a.m. ET: Netgear provided the following statement about VPNFilter:

To protect against this possible malware, we strongly advise all NETGEAR router owners to take the following steps:

•       Make sure that you are running the latest firmware on your NETGEAR router. Firmware updates include important security fixes and upgrades. For more information, see How do I update my NETGEAR router firmware using the Check button in the router web interface?.
•       Make sure that you have changed your default admin password. For more information, see How do I change the admin password on my NETGEAR router?.
•       Make sure that remote management is turned off on your router. Remote management is turned off by default and can only be turned on in your router’s advanced settings.

To make sure that remote management is turned off on your router:
1.      On a computer that is part of your home network, type http://www.routerlogin.net in the address bar of your browser and press Enter.
2.      Enter your admin user name and password and click OK.
If you never changed your user name and password after setting up your router, the user name is admin and the password is password.
3.      Click Advanced > Remote Management.
4.      If the check box for Turn Remote Management On is selected, clear it and click Apply to save your changes.
If the check box for Turn Remote Management On is not selected, you do not need to take any action.

NETGEAR is investigating and will update this advisory as more information becomes available.


81 thoughts on “FBI: Kindly Reboot Your Router Now, Please

  1. Muffin

    Brian and others: After reading many of the comments, I’m wondering if I should not try to do this myself. I am not an IT person. I would describe myself as an average computer user who is concerned about security. Do you all think I should hire IT help to do this?

  2. Demitrios

    Re-booting your Router is as easy as the media has been telling you – pull the A/C plug, wait 60 seconds, and energize it again. (Your power company does this for you every time you have a power outage over 30 sects). Changing your router’s Key/Password is a completely different and complex – hire someone who know “what they are doing” by all means!

      1. Brandon

        Changing your router’s admin password is fairly straight-forward. Updating the firmware could be a little trickier for a non-IT person but resetting and changing the password is something everyone should know how to do this day and age.

    1. Warez

      What exactly waiting 60 seconds accomplish?

      1. Jack

        The 60 second is to ensure that the unit is completely without power.

        If the unit still has power, then the malicious software could stay in memory.

    2. Robert Gregory-Browne

      Resetting your password is very easy and can be done in a web browser. Follow the instructions set out by your router manufacturer.

  3. Alex

    I find it really interesting this malware was apparently also looking for Modbus traffic. Someone was trolling for control systems. One would think if this is a state actor they are mainly out for infrastructure type systems. What smells odd about that assumption, how many of these systems would be behind SOHO routers?

    Seems more likely they would find smaller control systems like building management, or small process systems behind these type of cheap routers. Would love to know if they found any payloads that followed up after finding Modbus traffic.

    1. Mark

      I suspect they’re not looking for the control system behind a SOHO router as much as they are looking for the eager, energetic, (and compromising) sysadmin fixing the world from home. Find that and you’ve got an easy ride into a whole new realm (and a sysadmin wondering how in the world they got in). NOT that anybody REALLY does that, that’s just stories.

      1. Alex

        LOL, this same thought finally hit me.

        Must be something specific as most of these types of connections wouldn’t use Modbus.

  4. Alex

    So from the Sophos analysis they claim it was looking for “*modbus*\n%s:%uh->%s:%hu” Modbus packet.

    Can someone point me in the right direction here? No stranger to Modbus, but what exactly is this string referring too? regex or something??

    1. Jack

      Did you install the router or did someone else install it? try reaching out to that person if some did this for you.

      Find your manufacturers web site and search how to reset your router. The information should be readily available.

      <<>>

      So any configurations in your router will be lost. For example, your Wireless Access, specific ports for routing and so on.

  5. Greg Scott

    I took some time to put this blog post together. The level of illiteracy across the United States around this stuff is shocking and it’s past time we do something about it.

    @Muffin, no, don’t call somebody else to take care of your Internet router. Call somebody to teach you how to take care of your own Internet router. Why do so many people let technology intimidate them?

    Enjoy – and share if you like.
    http://dgregscott.com/russian-hackers-internet-router-fairy-tales/

    – Greg Scott

  6. Dale

    I’m wondering about the modem provided by my ISP (AT&T fiber). I receive internet access through it, but everything in my home is plugged into a router that plugs into the modem. Does the modem need to be reset or have its firmware updated?

    1. Greg Scott

      I would call ATT and ask – but I’ve had awful experiences with ATT customer support. I wrote a blog post about that a few years ago. Also Google the make and model of that modem and see what others are saying about it.

      – Greg

Comments are closed.