• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Consumer   »   FBI Router Reboot Warning: How Do I Stay Safe from the New VPNFilter Malware?

FBI Router Reboot Warning: How Do I Stay Safe from the New VPNFilter Malware?

  • Posted on:June 4, 2018
  • Posted in:Consumer, Security
  • Posted by:
    Trend Micro
0

You might have seen reports that the FBI is warning home users of a new foreign cyber-attack campaign targeted at your routers and network-attached storage (NAS) devices. Here’s a breakdown of exactly what has happened, and what you need to do to keep your home IT systems safe and secure.

What is VPNFilter?

This is the name of the new malware threat facing home users globally. At least 500,000 small and home office (SOHO) routers and network attached storage (NAS) devices have been infected by the malware. It has been blamed by the Justice Department on a Russian cybercrime group known as APT28 or “Fancy Bear” with links to the Kremlin.

 

It’s unknown exactly why the malware is being spread, but it has several capabilities. VPNFilter could:

  • Monitor your internet traffic and steal sensitive data, such as website log-ins
  • Render the device completely unusable via a “kill” command
  • Use your devices to route/launch attacks on other targets

Have I been hit?

Unfortunately, it’s difficult to tell if your device has been affected as the malware is designed to operate covertly in several stages. The devices named as vulnerable to this campaign include, but may not be limited to:

  • Linksys: E1200, E2500, WRVS4400N
  • Mikrotik: 1016, 1036, 1072
  • Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
  • QNAP: TS251, S439 Pro, and other QNAP NAS devices running QTS software
  • TP-Link: R600VPN

How do I stay safe?

It’s not known exactly how the hackers managed to infect the 500,000 devices hit so far, but the models listed above contain publicly known software vulnerabilities and/or feature default passwords, which make them easy to attack.

The best course of option is therefore to at least follow the FBI’s advice and reboot your router. Better yet, follow Cisco’s and reset. In more detail:

  • Reset/Restore to factory settings. You can usually do this by holding down the small recessed button labelled “reset” with a paper clip or similar for five to ten seconds. Note that all your custom settings will be lost.
  • Reboot the device. (The reset should reboot it anyway. Doing this without a reset will at least temporarily disrupt the malware and aid identification of infected devices by investigators).
  • Log-in to your device admin page via your browser using the default ID and password, since your custom log-in will be gone. (Check the console address and default log-in from your router/NAS provider. Also, it’s typically given on the QuickStart card or in the Setup section of the User’s Guide).
  • Change the factory default admin name if you can, but definitely the default password to a strong one you can remember. Or use your password manager to generate one and save it in the password manager by logging out once you change it and then doing another login.
  • Apply the latest firmware if available and reboot again. (This may be done automatically by your provider. But to double-check, visit the same admin page and click through to the software/firmware tab. Often you’re notified if there’s a firmware update available; or you can click a button to find out. If not, then your provider is responsible for the firmware update.)
  • Make sure remote administration is disabled in the router. (It should be, by default. If not, disable it.) This helps prevent hackers from remotely getting onto your network via the router.

Trend Micro will be monitoring this ongoing threat, so stay tuned for more insight and updates on how to stay safe. For current technical info on the threat, read Reboot Your Routers on Trend Micro Security News or this article from ArsTechnica.

For additional information, please read the latest from Cisco Talos: A Growing Threat: VPNFilter Malware – Cisco Talos – June 6 Update

Related posts:

  1. Bad Rabbit Ransomware – What is it and how to stay safe
  2. How to Stay Safe Online this Cyber Monday
  3. Two-Factor Authentication: What is it and why do I need it to stay safe online?
  4. VPN 101 – Part 1: What You Need to Know to Stay Safe and Protect Your Privacy Online

Security Intelligence Blog

  • Analyzing C/C++ Runtime Library Code Tampering in Software Supply Chain Attacks
  • Zero-day XML External Entity (XXE) Injection Vulnerability in Internet Explorer Can Let Attackers Steal Files, System Info
  • Potential Targeted Attack Uses AutoHotkey and Malicious Script Embedded in Excel File to Avoid Detection

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Collaborating with Law Enforcement to Tackle the Scourge of ATM Attacks
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Third Party Testing of Security is a Very Big Deal for Customers
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Medical Malware and Monitor Hacks
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Attacking Containers and runC
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • Today’s Predictions for Tomorrow’s Internet
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • What Did We Learn from the Global GPS Collapse?

Follow Us

Trend Micro in the News

Trend Micro Blogs

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.