Unfortunately for the information security industry, a lot of other news was breaking this past Memorial Day weekend, so it’s entirely possible that you missed a PSA, tweet or even email from the Federal Bureau of Investigation asking you, citizen, to please reboot your SOHO (Small Office/Home Office) router, and to also disable remote management (if enabled) on the device. Apparently, up to half a million routers from Linksys, MikroTik, NetGear TP-Link and network attached storage (NAS) devices from QNAP are impacted by this malware threat, which has spread to 54 countries around the world. Initial analysis pins the blame on the same Advanced Persistent Threat (APT) group APT28 or “Fancy Bear” – the same group accused of perpetrating the attacks on the Democratic National Committee in 2016.
What this means for you
If you happen to be one of our managed firewall clients, you are not impacted by this version of VPNFilter malware. However, if you happen to be powered by one of these listed devices, you should contact us immediately to discuss short and long term security implications:
Linksys Devices:
- E1200
- E2500
- WRVS4400N
Mikrotik RouterOS Versions for Cloud Core Routers:
- 1016
- 1036
- 1072
Netgear Devices:
- DGN2200
- R6400
- R7000
- R8000
- WNR1000
- WNR2000
QNAP Devices:
- TS251
- TS439 Pro
TP-Link Devices:
- R600VPN
Researchers are still trying to determine exactly what this attack platform is meant to do, but they have confirmed that it can collect confidential information (such as website logins) and has a self-destruct code that can literally render affected devices inoperable, possibly permanently.
In the short term, rebooting the router will eliminate a part of the threat, but if the device is compromised, the only way to remove the rest of the malware is to completely factory reset the device (or replace it), which means you will have to reprogram it to get connected back to the internet. If you’ve not done this before (and even if you have), this may not be straightforward and can be very disruptive to your operations. Most professional environments, especially offices with servers, may have configurations that are modified from the “vanilla” settings provided by a factory reset, and unless you have a backup or written documentation, may be difficult to reproduce quickly or without a lot of trial and error. Make sure you consult with a technology professional before pushing the factory reset button on your device.
Image courtesy of Nat_Stocker at FreeDigitalPhotos.net
