WASHINGTON — Malware linked to Russian hackers has infected at least a half-million small office and home office internet routers in several countries, and federal officials are warning Americans to take steps and prevent infection.
The warning centers on malware known as VPNFilter, which the FBI said can collect or delete sensitive information and render a device inoperable. According to Cisco Systems, the malware has been “actively infecting Ukrainian hosts at an alarming rate.”
In addition to routers, the malware also targets network-access storage devices.
“Both the scale and the capability of this operation are concerning,” said a post on Cisco’s Talos security blog.
The Justice Department has linked the malware effort to a hacker group known as “Sofacy Group,” also known as “Fancy Bear.”
Several “trusted” ISPs have been notified, the Justice Department said, but both users and administrators are advised to reboot (or power-cycle) their devices as soon as possible. This temporarily disrupts the malware. The devices should then be secured with passwords and encryption. Network devices’ firmware should also be upgraded.
Data Doctors’ Ken Colburn said the router brands known to be vulnerable include Linksys, Netgear, QNAP, MicroTik and TP-Link. “But my advice is that everyone with a consumer router should assume that it may be vulnerable and update it anyway,” he said. “The older your router is, the more likely that it’s vulnerable.”
How did your router get infected?
“The most likely methods of infection are possible because most consumer routers are still using the default admin username and password and haven’t patched known security exploits after they were initially set up,” he said.
As for how you can protect your devices, Colburn outlined the following steps:
The steps to protect your router from this and many other router specific security threats is pretty straightforward.
Before you perform any of these steps, read them all so you don’t get stuck in the middle of the process without something you’ll need. It’s also critical that you document any of the settings that you’re currently using such as level of encryption, SSID and passwords so you can re-enter them when the reset and update are complete.
If you don’t use the exact same SSID and password when you’re done, you’ll have to reset each device that connects to your Wi-Fi network with the new credentials, which can be a bit of a hassle if you have lots of home automation or IOT devices in your home.
You’ll also need to make sure you have an Ethernet cable to connect your computer directly to your router before you get started.
The first step is to find out the exact model of router you own (usually stamped on the bottom or side) and download the most current firmware from the manufacturer’s support website (If you have a newer router that has the automatic update feature built-in, you can skip this step).
Since there’s no simple way to know if your device is infected, performing a hard reset, which wipes out the malware and all your settings is the next step.
Once your router has restarted and your connected computer is able access it, carefully follow the installation instructions for updating the firmware.
Finally, make sure you change the default username and password for the administrative interface to something only you will know and re-enter all the connection settings you documented prior to resetting.
Get more details about the malware and how you can protect your devices on Cisco’s Talos blog.