VPNFilter update:
More bad news for routers
New research into VPNFilter finds more
devices hit by malware that’s nastier than first thought, making rebooting and
remediating of routers more urgent.
At the bottom of this article is a revised
list of routers believed to be at particular risk from the malicious code known
as VPNFilter, according to ongoing research by Cisco’s Talos Intelligence
Group. These latest findings underscore the importance of rebooting
routers, as described at length in this WeLiveSecurity article.
With 56 additional models and five new vendors
impacted, it is increasingly likely that even more will be identified. This
reinforces previous advice: you should take action regardless of the make or
model of router you are using (unless you have received solid assurances from
your ISP or vendor that your specific router is not vulnerable).
What’s going on here?
Hundreds of thousands of routers in more than
50 countries have been compromised by malware dubbed VPNFilter. When placed on a router, this malicious code can
spy on traffic passing through the router. The malware can also “brick” the
device it runs on, rendering it inoperative.
Like a lot of malware, VPNFilter is modular
and can communicate over the internet with a Command and Control (C2) system to
download additional modules. Research into VPNFilter’s capabilities is ongoing.
Routers are specialized computing devices
that direct traffic between networks, for example, between the network in your
office and the global network known as the internet. Routers have three places
to store code and information: regular memory, which is “volatile” and loses
its contents when it loses power; non-volatile memory that retains its contents
even when the power is turned off; and firmware, the contents of which are
relatively difficult to change.
Much of VPNFilter’s code resides in volatile
memory and is wiped out by a reboot or “cycling the power” (i.e. power it off –
wait 30 seconds – then power it on again). That is why the security experts and
the FBI recommend
rebooting your router.
However, a reboot does not remove code that
VPNFilter may have written to non-volatile memory. Clearing non-volatile memory
requires a device reset, but you should NOT perform a reset unless you know
what you are doing (see the instructions and advice in this related WeLiveSecurity article).
If your router is supplied by your ISP you
should contact them for instructions if they have not already alerted you and
advised you of the situation.
Other steps to consider are upgrading your
router to the latest firmware, changing the default administration password,
and disabling remote administration. Instructions to perform these functions
can be found on the router maker’s website.
Yes, you probably do have a router
I am sure there will be more articles related
to VPNFilter and router security on WeLiveSecurity in the coming days. We
already get the sense, based on questions from readers so far, that knowledge
of routers and how to secure them varies considerably within the population of
router users.
One basic question – do I have a router? – is
actually trickier to answer than you might think. Many homes and small offices
have a variety of boxes that work together to deliver the internet to their
computers, smartphones, tablets, smart TVs, clever thermostats, and so on.
Read the
complete article on