500,000 consumer routers compromised

In what is suspected to be a state-backed cyber offensive, half a million consumer grade routers have been exploited.

Cisco researchers have stated in an advisory (https://blog.talosintelligence.com/2018/05/VPNFilter.html) a number of consumer grade routers and the QNAP Network Attached Storage device range have been vulnerable and under active exploit since 2016 in over 54 countries. The number of affected devices have been slowly building with a notable spike in activity in the last 3 weeks that has included two major cyber-assaults on systems located in the Ukraine. This gives weight to the assumption that this offensive is state backed.

The malware package is a multi-stage system consisting of a flexible payloads allowing modules of many purposes to be deployed remotely to perform various functions including collection of login credentials, compromise/control of end points, redirection of traffic, participation in online attacks as well as a way to beat detection and analysis by aggressively writing to the infected device’s firmware effectively removing any trace of the malware while also permanently disabling the device.

The following devices are at risk of infection:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

It is advisable to perform the following steps when installing any new router or device especially if you have one of the models listed above.

Preventative/Corrective Action:

  • Perform a factory reset to remove possible infection.
  • Reconfigure device.
  • Change the default password.
  • Ensure latest firmware is installed.
  • If possible, turn off remote management or remote administration.

2 comments on “500,000 consumer routers compromised

    1. Ben Aylett Post author

      Only if the Tenda W300D router is running QTS software. The list is of all the KNOWN models that are vulnerable and possibly compromised.
      To be sure it is advisable to check for updated firmware and make sure your router is not using the default admin password.
      It is important to note that in some cases, settings may be lost during firmware updates. Make a copy or backup of your router settings as well as a print out of the router settings should the backup file not work with the new firmware.
      Updating firmware is a bit of a big deal. Take it slow, read everything and make sure you do not power off your router while the firmware update is in progress.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.