Russian Router Malware Just Got Much Worse
Remember that Russian router malware warningfrom last week? The situation is even worse than we originally thought, and a whole lot more router owners are going to have to factory-reset their devices and install firmware updates.
Not only are many more Linksys, MicroTik, Netgear and TP-Link routers vulnerable to the VPNFilter malware, according a recent report from Cisco Talos labs, but several Asus and D-Link models are now also thought to be vulnerable, as well as a couple of Ubiquiti routers and individual Huawei, Upvel and ZTE devices. In all, nearly 70 devices are impacted, including QNAP network-attached-storage drives.
The malware itself has a previously unnoticed capability: It can stage a man-in-the-middle attackon your web traffic, altering what you see online and possibly hiding other nefarious deeds.
"They can manipulate everything going through the compromised device," a Cisco Talos researcher told Ars Technica. "They can modify your bank-account balance so that it looks normal while at the same time they're siphoning off money."
How to Protect Yourself. To really be protected from VPNFilter, you need to first fully update your router's firmware, then write down all your Wi-Fi network names and passwords, and finally factory-reset your router.
Once you've done all that, change the router's administrative username and password, then recreate the original network names and access passwords so that your Wi-Fi-enabled devices can reconnect without trouble.
To be safe, ALL routers should be updated and factory-reset because of the VPNFilter malware, despite that being an arduous process, because we don't know where this is going to end.
The malware seems to infect only devices that are known to have had security flaws, all of which have fixes available. If you've kept up on your router patches, or your router patches itself automatically, you probably haven't been infected. Unfortunately, there's no way of knowing for sure.
Only a factory reset will remove the malware, which contains a beachhead module that survives regular reboots; only firmware patches will prevent you from being infected again. Ten days ago, the FBI took down a server from which the beachhead module got instructions to download additional malware components, but it appears that a fallback mechanism lets the beachhead module use other sources.