Last week, we reported on an attack, that’s been attributed to Russian malware distributors, that attacks a number of home routers and can be potentially used in large attacks or to steal data from you. Law enforcement has taken down the botnet that used the hack, called VPNFilter, but the risk isn’t completely gone.
VPNFilter is a three stage attack that starts by infecting vulnerable home and small office routers with a tool that then allows more potent attack tools to be loaded onto the devices. The affected devices, according to Symantec, that are known to be affected by VPNFilter are
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
That list may not be exhaustive.
QNAP has issued a statement about their NAS devices saying it has been aware of the presence of VPNFilter since 2017 and addressed the issue with updates to the QTS operating system and the QNAP NAS Malware Remover application which can be installed from the QTS App Center.
While a reboot of your router won’t remove the first stage attack software, it will kill the second and third stage malware.
Getting rid of the first stage malware, that can still be potentially used by threat actors to attack your device and use it in a botnet or some other nefarious activity, will require some more effort.
A factory reset should clear the first stage infection. That’s usually done by pressing a small reset button on the back or underside of the device for about ten seconds. Then, change the default username and password for accessing the router’s settings and install the latest firmware updates from your router maker’s website.
Those last steps should be standard practice when you set up a router.