Check your router – list of routers affected by VPNFilter just got bigger
***All Canitan Managed Service Clients Routers have been Updated and Rebooted. And new security measures have been implemented.*** If you are not an MSP Client or a Break / Fix Clients Please Contact US to update your Equipment *** (According to Mikrotik – Mikrotik Routers should be upgraded and restarted this will backup the config, rewrite everything then restores the config.)
If you haven’t heard of the VPNfilter router malware you need to read this. VPNfilter a giant-sized Internet of Things botnet that was revealed 2 weeks ago. And his just went from bad to worse. Originally thought too only affect 15 to 20 home / small business routers and NAS devices Made by Linksys, Mikrotik, Netgear, TP link , and Q nap, has now been expanded to include at least another 56 from Asus, Cisco, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE
Cisco Talos get that information by trying to determine which models VPNfilter has been detected on be in the size of the job it is rather difficult to complete. And a complete list is unlikely.
The update alert from Talos confirms that VPN filter can carry out man in the middle interception of HTTP and HTTPS web traffic which means that is not only able to mirror traffic in capture Names and passwords but potentially deliver exploits to network devices also.
Routers Have become a big target but it is relatively rare that malware is able to affect so many of them and especially simultaneously.
The major problems with VPN filter is that there doesn’t seem to be a simple way to detect it. The safest assumption is that owners from any router from one of the affected vendors should take immediate precautions.
The chances of VPN filter infecting a router are low given the number Infections detected by Talos versus is the number of routers out there. However, it’s still a good idea to do the following things.
Unfortunately, simply rebooting your router is not enough. elements of VPNfilter can reportedly survive this and reinstate the infection. That leaves owners with only one option a hard reset which takes the router back to the factory state. (This will wipe your devices configuration. Make sure you back it up.)
If opting for the easier option (a reset while connected to the internet), the router will guide you through the process of setting up a new internet connection, before doing the following:
- Updating to the latest firmware version. This is the most important part of the puzzle because these days routers are prey to security vulnerabilities that require patching on an ongoing basis.
- Offer the option to reinstate router settings from a backup configuration file. If these were saved before hitting reset, this will save a lot of time manually configuring them from scratch.
This is also a good time to change the router’s password and username. Plus, you should check the router to see whether any of the following interfaces are turned on when they don’t need to be:
- Remote web admin
- Port forwarding
- Unused services such as Telnet, Ping, FTP, SMB, UPnP, WPS, and remote access to NAS.
- Turn on logging – this might provide clues of future infection.
If your router is getting long in the tooth or no longer receiving regular firmware updates, consider buying a new one after assessing which vendors have a good record of patching vulnerabilities within a reasonable timeframe.
Subscribe to our Newsletter