Russian VPNFilter Router Malware Much Worse Than Thought: What to Do
Remember that Russian router malware warning from last week? The situation is even worse than we originally thought, and a whole lot more router owners are going to have to factory-reset their devices and install firmware updates.
Not only are many more Linksys, MicroTik, Netgear and TP-Link routers vulnerable to the VPNFilter malware, according a report today (June 6) from Cisco Talos labs, but several Asus and D-Link models are now also thought to be vulnerable, as well as a couple of Ubiquiti routers and individual Huawei, Upvel and ZTE devices. In all, nearly 70 devices are impacted, including QNAP network-attached-storage drives.
The malware itself has a previously unnoticed capability: It can stage a man-in-the-middle attack on your web traffic, altering what you see online and possibly hiding other nefarious deeds.
"They can manipulate everything going through the compromised device," a Cisco Talos researcher told Ars Technica. "They can modify your bank-account balance so that it looks normal while at the same time they're siphoning off money."
How to Protect Yourself
To really be protected from VPNFilter, you need to first fully update your router's firmware, then write down all your Wi-Fi network names and passwords, and finally factory-reset your router.
Once you've done all that, change the router's administrative username and password, then recreate the original network names and access passwords so that your Wi-Fi-enabled devices can reconnect without trouble.
Router update and reset methods vary widely from brand to brand, but we've added links to instructions where we could. The full list of models known to be affected is below.
To be safe, ALL routers ought to be updated and factory-reset because of the VPNFilter malware, despite that being an arduous process, because we don't know where this is going to end. (If you're wondering why we're so insistent, it's because the malware has a scorched-earth module that will brick your router on command.)
The malware seems to infect only devices that are known to have had security flaws, all of which have fixes available. If you've kept up on your router patches, or your router patches itself automatically, you probably haven't been infected. Unfortunately, there's no way of knowing for sure.
Only a factory reset will remove the malware, which contains a beachhead module that survives regular reboots; only firmware patches will prevent you from being infected again. Ten days ago, the FBI took down a server from which the beachhead module got instructions to download additional malware components, but it appears that a fallback mechanism lets the beachhead module use other sources.
Affected Routers and Support Pages
Here's the list of affected devices. Not all devices are sold in North America:
Unofficial reset instructions; we couldn't find the firmware
MikroTik RB Groove
MikroTik RB Omnitik
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
Ubiquiti PBE M5
Upvel -- unknown models
ZTE Devices ZXHN H108N