Last Friday, the FBI released a report recommending that all their routers restart. The reason? "Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide."
That's a pretty alarming PSA, but also a bit vague. How do you know if your router is infected? What can you do to keep malware out? And, perhaps most importantly, a simple reboot can really eliminate the threat?
What is the threat?
The FBI's recommendation follows ainfected over half a million routers and network devices, according to Cisco's Talos Intelligence Group.
VPNFilter is "able to disable routers in small offices and home offices," the FBI said. "The malware may also collect information that passes through the router."
Who distributed VPNFilter and for what purpose? The Department of Justice believes that Russian hackers working under the name Sofacy Group used the malware to control infected devices.
How do you know if you are infected?
Unfortunately, there is no easy way to determine your identity Router has been compromised by VPNFilter. The FBI merely states that "the malware targets routers produced by multiple manufacturers and networked storage devices from at least one manufacturer."
These manufacturers are Linksys, Mikrotik, Netgear, QNAP and TP-Link. However, the Cisco report states that only a small number of models ̵
Linksys: E1200, E2500, WRVS4400N
Mikrotik: 1016, 1036, 1072
Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
QNAP: TS251, S439 Pro, Other QNAP NAS Devices with QTS Software
TP Link: R600VPN
Consequently, there is a fairly low chance that you will run an infected computer router. Of course, you can never be too careful, so let's talk about ways to fix it and hopefully avoid it.
Will a restart really work?
It definitely can not hurt. Restarting – or turning off and on – your router is a harmless process and is often the first step in troubleshooting network or connectivity problems. If you have ever received a technical support call about an Internet problem, you may have been advised to do just that. However, according to Krebs at the Security Post, which cites the aforementioned Cisco report, rebooting alone will not do the trick: "Part of the code used by VPNFilter may still persist until the affected device is reset to factory settings becomes."
So, is it possible that the FBI misinterpreted the "Reset" recommendation as a "reboot"? Perhaps, but the bottom line is that a factory reset is the only secure way to VPNFilter from cleaning up a router.
The good news: It's a fairly straightforward process, which usually requires little more than holding down a reset button on the router itself. The Bad News: It's a pain in the butt because when it's done, you'll need to reconfigure all of your network settings, see your model's manual for instructions on how to use both steps.
What other steps should you take?
We have some of the above To get their advice on how to combat VPNFilter, Linksys responded first, noting that VPNFilter addresses known vulnerabilities in older versions of the Rou ter firmware (which customers have not updated) and with standard credentials.
Your advice: Apply the latest firmware to happen automatically in the newer Routers from Linksys and then perform a factory reset. Linksys also recommends changing the default password.
That is also our advice. By providing your router with the latest firmware and using a unique password (instead of the one provided by default), you should be able to prevent VPNFilters and other types of targeted malware attacks.
Update, May 30 at 8:27 am: According to the PSA of the FBI regarding VPNFilter, the reboot recommendation is not intended to remove the malware but to "temporarily [it]" interfere with the potential identification of infected devices. "In other words, the FBI is calling you into a search and annihilation operation. Needless to say, if you own one of the affected router models, we recommend the above-mentioned firmware update and factory reset.