• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Consumer   »   FBI Router Reboot Warning: How Do I Stay Safe from the New VPNFilter Malware?

FBI Router Reboot Warning: How Do I Stay Safe from the New VPNFilter Malware?

  • Posted on:June 4, 2018
  • Posted in:Consumer, Security
  • Posted by:
    Trend Micro
0

You might have seen reports that the FBI is warning home users of a new foreign cyber-attack campaign targeted at your routers and network-attached storage (NAS) devices. Here’s a breakdown of exactly what has happened, and what you need to do to keep your home IT systems safe and secure.

What is VPNFilter?

This is the name of the new malware threat facing home users globally. At least 500,000 small and home office (SOHO) routers and network attached storage (NAS) devices have been infected by the malware. It has been blamed by the Justice Department on a Russian cybercrime group known as APT28 or “Fancy Bear” with links to the Kremlin.

 

It’s unknown exactly why the malware is being spread, but it has several capabilities. VPNFilter could:

  • Monitor your internet traffic and steal sensitive data, such as website log-ins
  • Render the device completely unusable via a “kill” command
  • Use your devices to route/launch attacks on other targets

Have I been hit?

Unfortunately, it’s difficult to tell if your device has been affected as the malware is designed to operate covertly in several stages. The devices named as vulnerable to this campaign include, but may not be limited to:

  • Linksys: E1200, E2500, WRVS4400N
  • Mikrotik: 1016, 1036, 1072
  • Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
  • QNAP: TS251, S439 Pro, and other QNAP NAS devices running QTS software
  • TP-Link: R600VPN

How do I stay safe?

It’s not known exactly how the hackers managed to infect the 500,000 devices hit so far, but the models listed above contain publicly known software vulnerabilities and/or feature default passwords, which make them easy to attack.

The best course of option is therefore to at least follow the FBI’s advice and reboot your router. Better yet, follow Cisco’s and reset. In more detail:

  • Reset/Restore to factory settings. You can usually do this by holding down the small recessed button labelled “reset” with a paper clip or similar for five to ten seconds. Note that all your custom settings will be lost.
  • Reboot the device. (The reset should reboot it anyway. Doing this without a reset will at least temporarily disrupt the malware and aid identification of infected devices by investigators).
  • Log-in to your device admin page via your browser using the default ID and password, since your custom log-in will be gone. (Check the console address and default log-in from your router/NAS provider. Also, it’s typically given on the QuickStart card or in the Setup section of the User’s Guide).
  • Change the factory default admin name if you can, but definitely the default password to a strong one you can remember. Or use your password manager to generate one and save it in the password manager by logging out once you change it and then doing another login.
  • Apply the latest firmware if available and reboot again. (This may be done automatically by your provider. But to double-check, visit the same admin page and click through to the software/firmware tab. Often you’re notified if there’s a firmware update available; or you can click a button to find out. If not, then your provider is responsible for the firmware update.)
  • Make sure remote administration is disabled in the router. (It should be, by default. If not, disable it.) This helps prevent hackers from remotely getting onto your network via the router.

Trend Micro will be monitoring this ongoing threat, so stay tuned for more insight and updates on how to stay safe. For current technical info on the threat, read Reboot Your Routers on Trend Micro Security News or this article from ArsTechnica.

For additional information, please read the latest from Cisco Talos: A Growing Threat: VPNFilter Malware – Cisco Talos – June 6 Update

Related posts:

  1. Finding a Better Route to Router and Home Network Security
  2. VPN 101 – Part 1: What You Need to Know to Stay Safe and Protect Your Privacy Online
  3. Bad Rabbit Ransomware – What is it and how to stay safe
  4. How to Stay Safe Online this Cyber Monday

Security Intelligence Blog

  • Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique
  • Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers
  • Netwalker Fileless Ransomware Injected via Reflective Loading

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Answering IoT Security Questions for CISOs
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Getting ATT&CKed By A Cozy Bear And Being Really Happy About It: What MITRE Evaluations Are, and How To Read Them
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode and TrickBot Adds Enterprise-grade Module to Malware Arsenal
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • The Shared Responsibility Model
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Securing Smart Manufacturing

Follow Us

Trend Micro In The News

  • Shadowserver, an Internet Guardian, Finds a Lifeline
  • 7 Tips for Security Pros Patching in a Pandemic
  • ‘Netflix and chill’ for cyber crooks
  • All the things COVID-19 will change forever, according to 30 top experts
  • You have to consider cybersecurity at all points of a cloud migration
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.