Another week, another report of cyber-attacks.   This time it’s the FBI alerting us about a widespread attack involving routers.

News broke on the 25thMay when the FBI put out a Public Service Announcement that many small office and home office routers could be infected with Malware.

Instead of targeting your computer, this new style of malware seeks out vulnerable routers and basically takes control of them.   It installs a program called VPNFilter that can be used in a number of ways.   It can “listen in” on your internet traffic, it can be used to attack public websites, or it can actually destroy your router by corrupting the firmware on it.

The story behind it pans out like some kind of Hollywood action thriller.   The current thinking is that the malware was developed in Russia by the state sponsored group called Sofacy, also known as Fancy Bear and APT28.

It was designed specifically to attack common North American brands of routers, such as Netgear, Linksys, TP-Link.   In fact, the current estimates are that the hackers have control of over half a million routers around the world!   All of those 500,000 routers could be used simultaneously to attack key US internet infrastructure, an attack called a Denial of Service (DOS).  Such an attack could have widespread damaging effects.

A spike of attacks was also detected in the Ukraine, who accused Russia of planning an attack to coincide with the Champions Cup final in Kiev!

Thankfully the FBI detected this malware and have taken steps to curtail the damage the infected network of routers can do.   In order to control the army of routers, the hackers set up a website where the routers would all report in to and receive their instructions.   The FBI reverse engineered the Malware and found the address – ToKnowAll.com.  They then obtained a warrant to seize the domain and stop the hackers from initiating attacks.

The advice from the FBI is to reboot your router to clear the malicious program.   Simply unplug it for a few minutes and then plug it back in.   Note – don’t hit the reset button found on the back of most routers as this will wipe the settings in it.

It’s also good advice to change the default password on the router.  Recent routers have random passwords, however older routers came pre-configured with passwords such as “password” or “admin” which left them open to attack.

If you’re feeling confident – you should disable any remote management in the router and upgrade the firmware to the latest version.   Be careful though as this could stop the router from working!

If you want to check your router, the known infected devices include:

Linksys E1200

Linksys E2500

Linksys WRVS4400N

MikroTik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072

Netgear DGN2200

Netgear R6400

Netgear R7000

Netgear R8000

Netgear WNR1000

Netgear WNR2000

QNAP TS251

QNAP TS439 Pro

Other QNAP NAS devices running QTS software

TP-Link R600VPN

Get in touch if you’d like advice about changing the router password – if you can let me know the make/model I’ll see if I can help.

So, go and reboot your router now, just to be sure!

For more information see the FBI Website : https://www.ic3.gov/media/2018/180525.aspx