Cisco has released an advisory that a half million consumer and small business routers and growing have been infected with malware dubbed VPNFilter.
The malware was detected infecting routers from:
- and QNap storage devices
The researchers have not figured out a test that a consumer or small business can use to detect whether a particular router is infected or not.
On top of that, there is no “patch” that will inoculate a router against the malware.
The infections is affecting routers in 54 countries and has grown so quickly in the last month that the researchers decided to make their research public early. They are continuing to study it.
The malware is very flexible in what it can do – including stealing credentials and destroying the router so that the user has to buy a new one.
Among other things, the malware can, apparently, steal files and also run commands on your router which could lead to a whole variety of different compromises of your systems.
The FBI says that it has seized a server used by the attackers. Gee, that means that they will hijack a new server and download a new version of the malware onto the compromised devices. Given this control server was taken offline, it *MAY* mean that the hackers have to reinfect those devices, but apparently, that wasn’t too hard to do in the first place.
Information for this post came from Ars Technica.
OK, so given that, what do you do?
The article lists some of the routers affected. Some of them, like the Linksys E1200 and E2500 and Netgear R7000 and R8000, are extremely popular. If you have one of the routers listed in the article, you should raise your alert level.
Rebooting the router WILL NOT remove the malware. Given that there is no easy way to detect the malware, Cisco is recommending that users of the listed routers perform a factory reset. Beware if you do that you will lose the router’s configuration and someone will have to reprogram it. This may involve sending out a service technician to your house or office. This, right now, is the only known way to disinfect infected routers.
I recommend putting a separate firewall between your ISP’s router and your internal computers. This is another level of defense. Two good firewalls are pfSense (which comes both as open source software and a commercial package) and the Ubiquiti Edge Router X. Note that you will have to have some expertise or hire someone to configure it. This will however, give you an extra layer of protection. And, since you are buying it, your ISP will not have the password to it.
Make sure that you change the default password in your existing router. One possible way the infection is getting in is via default credentials.
Check to see if there are any patches to your router available from your router manufacturer. If so, install them and repeat that process every month.
Unfortunately, unlike some attacks where there is an easy fix, this one is a bit of a dumpster fire and since it affects so many different devices, it is not likely to get fixed quickly.