FBI Suggests Rebooting Routers and NAS Devices

Last Friday, the FBI issued a report recommending that everyone reboot their routers. The reason? “Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide.”

That’s a pretty alarming public service announcement (PSA), but also a somewhat vague one. How do you know if your router is infected? What can you do to keep malware away from it? And, perhaps most important of all, can a simple reboot really eliminate the threat?

What’s the threat?

The FBI’s recommendation comes on the heels of a newly discovered malware threat called VPNFilter, which has infected over half a million routers and network devices, according to researches from Cisco’s Talos Intelligence Group.

VPNFilter is “able to render small office and home office routers inoperable,” the FBI stated. “The malware can potentially also collect information passing through the router.”

Who distributed VPNFilter, and to what end? The Justice Department believes that Russian hackers, working under the name Sofacy Group, was using the malware to control infected devices.

How do you know if you’re infected?

Unfortunately, there’s no easy way to tell if your router has been compromised by VPNFilter. The FBI notes only that “the malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer.”

Those manufacturers are as follows: Linksys, Mikrotik, Netgear, QNAP and TP-Link. However, Cisco’s report states that only a small number of models — just over a dozen in total — from those manufacturers are known to have been affected by the malware, and they’re mostly older ones:

Linksys: E1200, E2500, WRVS4400N
Mikrotik: 1016, 1036, 1072
Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
QNAP: TS251, S439 Pro, other QNAP NAS devices running QTS software
TP-Link: R600VPN

Consequently, there’s a fairly small chance you’re operating an infected router. Of course, you can never be too careful, so let’s talk about ways to fix the problem and, hopefully, avoid it going forward.

Will a reboot really work?

It definitely can’t hurt. Rebooting — or power-cycling — your router is a harmless procedure, and in fact is often among the first troubleshooting steps when you’re having a network or connectivity issue. If you’ve ever been on a tech-support call because of an internet problem, you’ve probably been advised to do exactly that.

However, according to this Krebs on Security post, which cites the aforementioned Cisco report, rebooting alone won’t do the trick: “Part of the code used by VPN Filter can still persist until the affected device is reset to its factory-default settings.”

So is it possible the FBI misinterpreted the “reset” recommendation as “reboot”? Perhaps, but the bottom line is that a factory-reset is the only sure-fire way to purge VPNFilter from a router.

The good news: It’s a pretty easy process, usually requiring little more than holding down a reset button on the router itself. The bad news: When it’s done, you’ll have to reconfigure all your network settings. Check your model’s instruction manual for help with both steps.

What other steps should you take?

We reached out to a couple of the aforementioned manufacturers to solicit their advice for combating VPNFilter. Linksys responded first, noting that VPNFilter is “proliferating itself using known vulnerabilities in older versions of router firmware (that customers haven’t updated) as well as utilizing common default credentials.”

Its advice: Apply the latest firmware (something that happens automatically in Linksys’ newer routers) and then perform a factory reset. Linksys also recommends changing the default password.

That’s our advice as well. By keeping your router patched with the latest firmware and using a unique password (rather than the one provided out of the box), you should be able to keep ahead of VPNFilter and other kinds of router-targeting malware.

Update: According to the FBI’s PSA regarding VPNFilter, the reboot recommendation is not intended to remove the malware, but rather to “temporarily disrupt (it) and aid the potential identification of infected devices.” In other words, the FBI is enlisting you in a search-and-destroy operation. Needless to say, we recommend the aforementioned firmware update and factory reset if you own one of the affected router models.

We value our client relationship with you, and it is a privilege to be of service to you.

Should you have any questions or concerns regarding this very important matter, please feel free to contact us at 610-525-2933 or documents@cainecpa.com

Regards,

Edward P. Caine, CPA
Managing Partner