Recent Posts

Archive

Tags

No tags yet.

Russian infected Routers - What to do?

The FBI released information last week suggesting that home users and small business owners should reboot their firewall routers and possibly reset them to factory default. This suggestion comes on the heels of a malware discovery that has compromised a suspected 500,000 devices around the world. I haven't weighed in on this before now because I had not found any research yet that described the actual processes of the infection. They finally released some information that I can pass on without causing some sort of mass hysteria.

The malware infection seems to be affecting certain types of small business and home router/firewalls. This is a list of definitely-affected devices. If you have one of these at your home, then you will need to reboot the device, set it back to factory default, then download and install the latest version of firmware for it. ...of course, the investigations I read would not confirm that this removes the malware for good.

Linksys E1200

Linksys E2500

Cisco/Linksys WRVS4400N

Netgear DGN220

---The following are Nighthawk models

Netgear R6400

Netgear R7000

Netgear R8000

---These are not Nighthawks

Netgear WNR1000

Netgear WNR2000

TP-Link TL-R600VPN SafeStream VPN Router

MicroTik Cloud Core Routers

QNAP TS-251

QNAP TS-439 Pro

I believe that the remote management component would have had to be activated for the device to be vulnerable, but I haven't found anything to completely corroborate my belief. Netgear has said that users need to make sure that the remote management option is disabled on their devices. It is disabled by default and we don't turn it on for anyone. They also say to change the default password on the device. We have done that for any device that we put in place for a home client.

This is a link to Netgear's advisory on the issue:

https://kb.netgear.com/000058814/Security-Advisory-for-VPNFilter-Malware-on-Some-Routers

Some of these devices have a cloud component that can share USB drives that are connected to it over the Internet. That could also be a source of the infection. I don't know any client that we have that uses that at home, but if you do, I would suggest disabling it. It would not be enabled by default.

Finally, it is possible that other devices could be affected by this malware. Until I read a true description of the infection process, I can't say for sure. The suggestion from the FBI has two goals. One is to try and fix your device so that it is no longer infected. A simple reboot of the device, though, should send out a request to the command and control system for the malware infections. The FBI is hoping that they can track the requests from the devices to determine if there are more command and control systems out there that they do not know about. ...so, the first request, to reboot the device, is simply for the FBI to be able to trace the infection command and control systems. Resetting the device to factory default and installing new firmware are the steps to remove the infection.