News

FBI Issues a Warning to Reboot your Home and Office Routers Now!

In a very rare move, the FBI issues a warning to reboot your home and office routers now! Americans with internet routers in their homes or offices should reboot their routers immediately after the agency discovered hundreds of thousands of routers had been compromised by “foreign actors” (their wording, not ours).

 

Summary

The FBI recommends in this public service announcement issued Friday any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

Technical Information

The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer.

UPDATE: Researchers from Cisco’s Talos security team first disclosed the existence of the malware this past Wednesday. Their report details that the malware infected more than  half a million devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. The malware had a name that IT folks would not even suspect was malware… VPNFilter. The malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot.

Threat

VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated and Cisco’s report states “In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have.”

Defense

Since routers and NAS devices typically receive no antivirus or firewall protection and are directly connected to the Internet, it is hard to protect them. While the researchers still don’t know exactly how the devices are getting infected… they state that almost all of those targeted have known public exploits or default credentials that make compromise easy. Antivirus provider Symantec issued its own advisory last Wednesday. It identified the targeted devices as:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

What to do?

Per ARSTechnica.com, both Cisco and Symantec are advising users of any of these devices to do a factory reset. Unfortunately, these resets wipe all configuration settings and most of us will not be able to reset the configurations (which means we won’t be able to access the internet!). If you do decide to do that factory reset, usually you push a button on the back of the device for five to 10 seconds. But, alternatively, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.

Other actions you should take include: changing all default passwords, be sure your devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of “some” router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.

Cisco researchers urged both consumers and businesses to take the threat of VPNFilter seriously.

About the author

Trish

Trish is one of the owners of Hip Homeschool Moms. She has been married to her best friend, David, for 20 years and they have three sons (ages 19, 17 and 15). Trish is from the coast of North Carolina, but they now live in rural West Tennessee on a 40+ acre farm. She has been homeschooling since 2009 and her homeschool style leans towards a Montessori approach with a heavy emphasis on hands-on learning. They also own a small business that Trish runs from home. Trish’s family is Messianic and they love studying the Scriptures, learning Hebrew and growing in their faith and walk daily. In her spare time, Trish loves to write, work in their garden and can regularly be found trying to learn something new, modeling that learning is indeed a life-long endeavor!

Add Comment

Click here to post a comment

Topics