You might have seen reports that the FBI is warning home users of a new foreign cyber-attack campaign targeted at your routers and network-attached storage (NAS) devices. Here’s a breakdown of exactly what has happened, and what you need to do to keep your home IT systems safe and secure.
What is VPNFilter?
This is the name of the new malware threat facing home users globally. At least 500,000 small and home office (SOHO) routers and network attached storage (NAS) devices have been infected by the malware. It has been blamed by the Justice Department on a Russian cybercrime group known as APT28 or “Fancy Bear” with links to the Kremlin.
It’s unknown exactly why the malware is being spread, but it has several capabilities. VPNFilter could:
|
- Monitor your internet traffic and steal sensitive data, such as website log-ins
- Render the device completely unusable via a “kill” command
- Use your devices to route/launch attacks on other targets
|
|
|
Have I been hit?
Unfortunately, it’s difficult to tell if your device has been affected as the malware is designed to operate covertly in several stages. The devices named as vulnerable to this campaign include, but may not be limited to:
|
- Linksys: E1200, E2500, WRVS4400N
- Mikrotik: 1016, 1036, 1072
- Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
- QNAP: TS251, S439 Pro, and other QNAP NAS devices running QTS software
- TP-Link: R600VPN
|
|
|
How do I stay safe?
It’s not known exactly how the hackers managed to infect the 500,000 devices hit so far, but the models listed above contain publicly known software vulnerabilities and/or feature default passwords, which make them easy to attack.
The best course of option is therefore to at least follow the FBI’s advice and reboot your router. Better yet, follow Cisco’s and reset. In more detail:
|
- Reset/Restore to factory settings. You can usually do this by holding down the small recessed button labelled “reset” with a paper clip or similar for five to ten seconds. Note that all your custom settings will be lost.
- Reboot the device. (The reset should reboot it anyway. Doing this without a reset will at least temporarily disrupt the malware and aid identification of infected devices by investigators).
- Log-in to your device admin page via your browser using the default ID and password, since your custom log-in will be gone. (Check the console address and default log-in from your router/NAS provider. Also, it’s typically given on the QuickStart card or in the Setup section of the User’s Guide).
- Change the factory default admin name if you can, but definitely the default password to a strong one you can remember. Or use your password manager to generate one and save it in the password manager by logging out once you change it and then doing another login.
- Apply the latest firmware if available and reboot again. (This may be done automatically by your provider. But to double-check, visit the same admin page and click through to the software/firmware tab. Often you’re notified if there’s a firmware update available; or you can click a button to find out. If not, then your provider is responsible for the firmware update.)
- Make sure remote administration is disabled in the router. (It should be, by default. If not, disable it.) This helps prevent hackers from remotely getting onto your network via the router.
|
|
|
Trend Micro will be monitoring this ongoing threat, so stay tuned for more insight and updates on how to stay safe. For current technical info on the threat, read Reboot Your Routers on Trend Micro Security News or this article from ArsTechnica.