The FBI Router Warning – What to Do

A little background: Apparently Russia has been using some malicious software called VPNFilter, a variant of other state-sponsored malware attacks out of Russia.  

• It is targeting networking devices worldwide, with 54 countries known to be infected
• More than half a million routers are already known to be infected
• Popular networking devices sold in many big box stores are affected
• Problems occur in home networks and small businesses that use these non-professional grade routers in order save money
• Included as problematic are: Linksys, MikroTik, Netgear, TP-Link and QNAP (NAS – Network atta,ched storage devices.)

What Happens?

This malicious malware allows for the stealing of your login credentials and monitoring of all network traffic.  In some cases, it can make the device unusable. The location of these home-grade devices at the edge of the network means they are not protected by any anti-virus or Intrusion Protection Systems [Click here if you’d like info on Intrusion Prevention for Business].

The age of the hardware is also an issue because most are running older software versions that have never been updated, even though there are patches available.  The fact that there are patches means that the bad guys already know about and are using the vulnerability.

The malware known as VPNFilter acts to gather intelligence as well as deploy damaging cyber operations, and it does it using a modular multi-stage method.

Three stages of infection and control appear to be present in this malware. The first stage is for making the connection and creating a robust platform capable of launching the other two stages and withstanding other changes to the system. The second stage focuses on collecting and removing data, executing commands and device management. In some cases, it also contains a “self-destruct” module that will destroy the firmware making the device inoperable. The third stage is a series of modules that include the ability to identify all traffic passing through the device including login credentials, bank information, passwords, etc.  Other modules allow it to communicate over the anonymous TOR networks.

Simply rebooting your hardware is not enough to remove it.  The characteristics of this malware allow for the destruction of stage 2 and stage 3 on reboot; however, stage one persists and will enable stage 2 and 3 two be reinstalled at will by the black hats and is why it can live through a “hard” reboot/factory restore.  

Known Vulnerable Devices

Here is a partial list of devices that are known to be vulnerable to VPNFilter:

• Linksys E1200
• Linksys E2500
• Linksys WRVS4400N
• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
• Netgear DGN2200
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN

UPDATE! Here are new vendors that were also discovered to be affected.

• ASUS
• D-Link
• Huawei
• Ubiquity
• UPVEL
• ZTE
• MikroTik

Reported June 6, 2018 by Talos Intelligence

Netgear — What to do

To protect against this possible malware, we strongly advise all NETGEAR router owners to take the following steps:

Upgrade Firmware

Make sure that you are running the latest firmware on your NETGEAR router. Firmware updates include critical security fixes and upgrades. For more information, see How do I update my NETGEAR router firmware using the Check button in the router web interface?.

Passwords

Make sure that you have changed your default admin password. For more information, see How do I change the admin password on my NETGEAR router?.

Remote Management

Make sure that remote management is turned off on your router. It is turned off by default and can only be turned on in your router’s advanced settings. On a computer that is part of your home network, type http://www.routerlogin.net in the address bar of your browser and press Enter.

Enter your admin username and password and click OK.

If you never changed your username and password after setting up your router, the username is an admin, and the password is password.

Click Advanced > Remote Management.

If the checkbox for Turn Remote Management On is selected, clear it and click Apply to save your changes.

If the checkbox for Turn Remote Management On is not selected, you do not need to take any action.

Linksys – What to do

Factory Reset

If you can’t access the router’s web-based setup page or forgot the router’s password, you may reset the router to its default factory settings.  To do this, press and hold the Reset button for 10 seconds. Resetting your router to its default factory settings will also reset your router’s password.  The router’s default password is “admin” as for the username, just leave the field blank.

Make sure that the Power LED of the router is blinking when you press the Reset button.  This indicates that the router is being reset properly. The location of the Reset button may vary per model.  Older Linksys devices may require pressing and holding the Reset button for 30 seconds to complete the reset process.

After pressing the Reset button, unplug and re-plug the router’s power adapter. The Power LED of the router will keep on blinking for a few seconds after resetting as it is still trying to stabilize.  However, if the Power light still isn’t solid after a minute, power cycle the router. For further steps on how to resolve this issue, click here.

Resetting the router using the web-based setup page

• Step 1:
  Access the router’s web-based setup page.  To learn how click here. To learn how to access the web-based setup page on a Mac® computer, click here.
• Step 2:
  Click the Administration tab then click on the Factory Defaults sub-tab.
• Step 3:
  Under the Factory Defaults section, click on the Restore Factory Defaults button.

After resetting the router to its default settings, reconfigure it according to your Internet service.  To learn how to reconfigure the Linksys router for Cable Internet connection, click here.  If you have DSL connection, click here.

The Power LED of the router will keep on blinking for a few seconds after resetting as it is still trying to stabilize.  However, if the Power light still isn’t solid after a minute, power cycle the router. For further steps on how to resolve this issue, click here.

Changing the router’s password

The router’s default Password is “admin”, as for the Username, you can leave the field blank.  For security purposes, it is recommended to change the default password.

Changing the router’s password through the web-based setup page may prevent you from using the Linksys Connect software.  However, if you have installed the latest version of the software, it will automatically prompt to enter the new password that you saved on the web-based setup page.  To learn how to change the wireless network name and password using Linksys Connect, click here.

• Step 1:
  Access the router’s web-based setup page.  To learn how click here. To learn how to access the web-based setup page on a Mac® computer, click here.
  
• Step 2:
  Click the Administration tab.
  
• Step 3:
  Under the Management section, enter the new password in the Router Password and Re-Enter to Confirm fields. (You may use a combination of letters and numbers for your router password.  Make sure that you take note of your router password so that you may have a back-up in case you forget it.)
  
• Step 4:
  Click Save Settings.