As the old saying goes, "Loose Lips Sink Ships". Routers with "Loose Lips" are no exception and its worth taking a minute to check your router to see if it has a little too much to say to folks who shouldn't be listening.
Does the name VPNFilter mean anything to you? If it doesn't it should because it may well be hiding in a router near you, like the one in your closet or office. As of 24 May 2018, researchers estimated it to have infected approximately 500,000 routers worldwide and the number of at-risk devices is even larger. It can steal data, contains a"kill switch" designed to disable the infected router on command, and is able to persist even if the user reboots the router. The Federal Bureau of Investigation believes that it was created by the Russian Fancy Bear group. VPNFilter conducts multiple operations after the initial infection. One such function is to sniff network data on any network connected to the infected device and gather credentials, supervisory control and data. The data are then encrypted and exfiltrated via the Tor network. It can also serve as a relay point to hide the origin of subsequent attacks. The current list of affected devices can be found here and you can check your router for the presence of this malware on this web page
If you find that your router is infected by VPNFilter, investigators recommend performing the following steps in order. Please consult the documentation for your device for specific details on how to perform them:
- Perform a hard reset of your router to restore its factory settings. Be sure to save your router configuration first, you'll need to reconfigure your it after this step.
- Power down and restart the router. Note that simply restarting your router without first performing the factory reset may not remove VPNFilter.
- Change the default administrator password for your router to a more secure password. If possible, do this step with your device disconnected from the public Internet.
- Apply the latest patches and updates for your router.
One other item you should consider is your router, itself. As technology continues to advance, older hardware often falls out of support; it often cannot make use of newer encryption schemes because the hardware no longer has the required capability. Indeed, a large portion of the routers found on the VPNFilter susceptibility list are over five years old. One way to check is to look up your router on the manufacturer's website and read the firmware release notes for it. If the manufacturer hasn't released a firmware update in the last year or so, the router has probably been discontinued. You can expect this to happen every three to five years. At this point, it is crucial to upgrade to a new piece of hardware.