Nonprofit Resources

print

Half a Million Routers Are Infected with Malware – Is Yours?

print
The FBI recently made a formal PSA about a piece of malware called VPNFilter that is infecting routers used in homes and small businesses at an alarming rate. The difference in this strain versus others is that no one is quite sure what the impact will be, since it is a very sophisticated piece of malicious software.

What VPNFilter Malware Does

The malware uses default credentials to infect routers, meaning that it can be avoided by changing passwords and other security on devices. It “sniffs” network data where an infected device is physically located, gathering the passwords, usernames, and other credentials on that network. This can include supervisory control and data. And VPNFilter malware can serve as a relay point to hide the origin of incoming attacks that later use that information.

This software installs itself in three stages, and the impact of the third stage is not well known. The FBI has advised that everyone should reboot their routers, under the belief that this will mitigate the malware and prevent the third stage from executing in the future.

However, this is not entirely correct in a technical sense.

Security engineers at Cisco Talos and Symantec recommend that people who own affected devices do a factory reset. This will remove the malware, but it also restores the router to all original settings.

Steps You Should Take

Protect your home and business router by taking the following steps.

  1. Check to see if you are using any of the following routers (list updated June 6, 2018):

    • ASUS: RT-AC66U, RT-N10, RT-N10E, RT-N10U. RT-N56U, RT-N66U

    • D-Link: DES-1210-08P. DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, DSR-1000N

    • Huawei: HG8245

    • Linksys: E1200, E2500, E3000, E3200, E4200, RV082, WRVS4400N

    • Mikrotik: CCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik, STX5

    • Netgear: DG834, DGN1000,  DGN2200, DGN3500, FVS318N, MBRN3000, R6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, UTM50

    • QNAP: TS251, TS439 Pro, and other QNAP NAS devices running QTS software

    • TP-Link: R600VPN, TL-WR741ND, TL-WR841N• Ubiquiti: NSM2, PBE M5

    • UPVEL: Unknown models

    • ZTE: ZXHN H108N

  2. If your router is listed above, perform a factory reset. This is typically accomplished by using something small and pointed, such as a straightened paperclip, to push the reset button on the back on the unit for 10 to 30 seconds (time varies by model). Note that you will need to set up the router again and reconnect devices that use it. Visit your router manufacturer’s website for instructions on performing a factory reset and setting up your router. 
  3. Whether or not your router is on the list above, you should change the password from the default. Visit your router manufacturer’s website for instructions. Note that if you do a factory reset, you will need to change the default password after performing the reset. 

Please contact us at cybersecurity@capincrouse.com with any questions.

Lisa Traina

Lisa is a partner at Traina & Associates, a CapinCrouse company. She uses her more than 30 years of experience to assist organizations in implementing measures to secure data and manage risks efficiently and effectively. She is a nationally recognized speaker and author, and serves on the AICPA Cybersecurity Task Force. Lisa founded Traina & Associates in 1999 to provide IS security services to a broad range of industries. Traina & Associates joined CapinCrouse in January 2017.

Leave a Comment