In what is suspected to be a state-backed cyber offensive, half a million consumer grade routers have been exploited.
Cisco researchers have stated in an advisory (https://blog.talosintelligence.com/2018/05/VPNFilter.html) a number of consumer grade routers and the QNAP Network Attached Storage device range have been vulnerable and under active exploit since 2016 in over 54 countries. The number of affected devices have been slowly building with a notable spike in activity in the last 3 weeks that has included two major cyber-assaults on systems located in the Ukraine. This gives weight to the assumption that this offensive is state backed.
The malware package is a multi-stage system consisting of a flexible payloads allowing modules of many purposes to be deployed remotely to perform various functions including collection of login credentials, compromise/control of end points, redirection of traffic, participation in online attacks as well as a way to beat detection and analysis by aggressively writing to the infected device’s firmware effectively removing any trace of the malware while also permanently disabling the device.
The following devices are at risk of infection:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
It is advisable to perform the following steps when installing any new router or device especially if you have one of the models listed above.
- Perform a factory reset to remove possible infection.
- Reconfigure device.
- Change the default password.
- Ensure latest firmware is installed.
- If possible, turn off remote management or remote administration.