[Updated 6/6/18] Protect Your Router, Now (VPNFilter Malware)
Cyber Actors Target Home and Office Routers and Networked Devices Worldwide
Note: Updates will be added to the bottom of this post. On, 6/6/2018, additional router models were added to the list of affected devices.
You may have heard, in recent news reports, about malware called VPNFilter, that has compromised “hundreds of thousands” of home and office routers.
It’s important that all Internet users take action to secure their Internet router to avoid very real negative consequences. The items below briefly describe what steps are necessary. For those who are uncomfortable with any of the steps, after step number one, please contact Widomaker, a local computer shop, or the Support Department of the manufacturer of your Internet router, for guidance.
Several router manufacturers have released security advisories, including Linksys, Netgear, and TP-Link.
1.) Everyone Should Reboot/Power Cycle (Off and Back On) their Internet Router
Recommendations from the DHS, FBI, DOJ, and cybersecurity researchers, instruct owners of home and small office routers, and NAS (Network Attached Storage) devices, to power cycle (reboot) their devices as soon as possible.
As a result, Widomaker urges all customers to power cycle (off and back on) their Internet routers, regardless of their router brand or model, as recommended by cybersecurity researchers and government organizations. Please do this, immediately. But, don’t stop there…
2.) Check for Router Updates (Firmware)
Contact your router manufacturer (or visit their website) to determine if your router has updated firmware available, and how to install it. Contact Widomaker or a local computer shop for assistance with this step, if necessary.
If your router is several years old, the manufacturer may no longer be supporting, and offering updates for, that model of router. Contact your router manufacturer to determine if your model of router is still supported, and eligible for updates. If your router is no longer supported, it should be replaced with a new router that is supported by the manufacturer. Contact Widomaker, or a local computer shop, if you need suggestions for a replacement router, or help determining if your existing router is still supported.
3.) Change the default admin password
A router’s administrator (admin) password is used to prevent unauthorized persons from accessing the web-based setup page of your router and changing any of its settings. Routers usually come with a default username and password. That default password should be changed, during the setup process, to prevent unauthorized access. Please note that the wireless network password that you use to connect devices to the wireless network is different from the router administration password.
Check the instructions that came with your router, contact your router manufacturer, or visit their website, for instructions to change the default admin password. Contact Widomaker, or a local computer shop, if you need help changing your router’s admin password.
Once you’ve set or changed your router’s admin password, be sure to record it in a save place. Taping a note, with the password, to the bottom of the router, is a common practice. However, it’s important that only trusted people would have physical access to the router with the note attached.
4.) Factory Reset*
If you use one of the routers that is on the list of vulnerable models (further below), additional recommendations include performing a factory reset. If you are not familiar with how to perform a factory reset, you may want to contact Widomaker or a local computer shop for assistance.
*Warning: Performing a factory reset on your router will delete all of it’s settings, including the information it needs to login to your Internet provider. Widomaker DSL users will not be able to connect to the Internet after performing a factory reset, until the router has been reconfigured with the necessary DSL PPPoE login settings. Make sure you have the necessary DSL PPPoE settings, and the necessary instructions, from your router manufacturer, for how to reconfigure your router, before performing a factory reset. Contact Widomaker or a local computer shop, in advance, if you need assistance.
Additional Details…
Support contact information for several popular router manufacturers are listed, below…
Router Models Known to be affected by VPNFilter Malware
It is not easy to determine if a router has been infected with this malware. However, there is a list of router models that are known to be vulnerable, and could be infected. This list will likely be updated, in the future, to include additional routers as researchers learn about other vulnerable devices. As of 5/25/2018 6/6/2018, the list of devices known to be vulnerable include…
ASUS DEVICES:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)D-LINK DEVICES:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)HUAWEI DEVICES:
HG8245 (new)LINKSYS DEVICES:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400NMIKROTIK DEVICES:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)NETGEAR DEVICES:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)QNAP DEVICES:
TS251
TS439 Pro
Other QNAP NAS devices running QTS softwareTP-LINK DEVICES:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)UBIQUITI DEVICES:
NSM2 (new)
PBE M5 (new)UPVEL DEVICES:
Unknown Models* (new)ZTE DEVICES:
ZXHN H108N (new)
Updates…
Update 5/30/2018: Bleeping Computer has published an excellent guide on VPNFilter. It includes direct links to several router manufacturers’ instructions for several of the recommended steps.
Update 6/6/2018: An update has been published with additional information about this malware. It includes an updated list of devices known to be affected. They still believe that this updated list may still be incomplete and other devices may be affected.