The FBI is recommending power cycling Wi-Fi routers as a step to counter “foreign cyber actors” seeding malware known as “VPNFilter.”
The malicious code can “perform multiple functions, including possible information collection, device exploitation, and blocking network traffic,” according to the FBI’s Internet Crime Complaint Center. It can potentially render routers inoperable, and is hard to detect due to use of encryption and “misattributable networks.”
Rebooting a router won’t kill the malware, but will temporarily disrupt it and may help identify affected hardware, the IC3 said. As a further precaution people may want to disable remote management, use original secure passwords, and make sure they’ve updated to the latest firmware.
Security firm Symantec indicates that activity suggests the target was originally Ukraine, and specifically industrial control systems. The malware “does not appear to be scanning and indiscriminately attempting to infect every vulnerable device globally,” Symantec said.
Affected routers and NAS (network-attached storage) devices are known to include:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
The Justice Department has identified the perpetrators as the “Sofacy Group,” which goes by several other names and allegedly targets “government, military, security organizations, and other targets of perceived intelligence value.” In trying to defeat VPNFilter, the U.S. has seized a domain associated with a Sofacy botnet.
At present, it does not appear that the AirPort family is affected.
Apple only recently got out of the router market, having let its AirPort line grow stagnant for several years. The company is instead promoting third-party products, particularly the Linksys Velop mesh system.