In May of this year, officials in private and public sectors warned of hackers infecting nearly a million consumer grade routers across the globe. Among the numerous types of infections, an especially nefarious purpose is what’s known as a VPNFilter to perform a man-in-the-middle attack. It can inject malicious packets info traffic as it passes through an infected router. The packet payloads exploit specific devices connected to the infected network. It’s important to note that VPNFilter is not a router exploit that an attacker can find and use to gain access — it is software that is installed on a router unintentionally that is able to do some potentially terrible things.
In addition to covertly manipulating traffic within the networks, “ssler” can also steal sensitive data passed between connected endpoints and even outside. It actively inspects browsed sites for signs they transmit passwords and other sensitive info data so they can be copied and stored on servers under the attackers control. In this case, intercepted data is being sent back to servers with known ties to the Russian government. To bypass encryption designed to prevent such attacks, ssler downgrades secure HTTPS connection to plaintext HTTP traffic. It then changes request headers to signal the endpoint isn’t capable of using encryption.
VPNFilter is also able to change incoming traffic to falsify responses from a server. This helps cover the tracks of the malware and allows it to operate longer before you can tell something is going wrong. Hackers have evolved such that they can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money or any other data going in and out of the device.
Depending on your skillset, it’s difficult or impossible to tell if you are infected. Researchers suggest anyone who uses a router known to be susceptible to VPNFilter assume they are infected and take the necessary steps to regain control of their network traffic.
Signs Your Router May Have Been Hacked
Did you receive a ransom web message, an antivirus alert, or toolbars on your browser that you didn’t install? When you click on a link, are you redirected to a site you didn’t ask for and has nothing to do with the previous page you were on? Are you getting a lot of random pop ups websites on your computer screen? Have you heard from your friends or colleagues that they’ve gotten social media or email invitations from you that you didn’t send? Are you missing money from transactions in your online banking accounts that you can’t explain? These are all red flags that your router may have been hacked and is infected with dangerous malware.
F-Secure’s Router Checker
This online tool is a great way to find out if an internet connection is safe or if your router has been infected. Click the blue “Check Router” button to view your detailed results and discover if your Domain Name Server (DNS) has been altered. You can also use a free trial to check and see if your mobile devices have been affected or purchase a paid subscription if you want to use the service on an ongoing basis. If your DNS has been hijacked, this tool will expose the insecurities in detail, so you’ll know if you need to take action. Find it here: F-Secure.com’s Router Checker
Routers known to be vulnerable
This list contains routers known to be susceptible to VPNFilter. If your model appears on this list it is suggested you follow the procedures in the next section of this article.
Other QNAP NAS devices running QTS software
What steps to take if your router is on the list
Right now, as soon as you’re able, reboot your router. Unplug the power supply for 30 seconds then plug it back in. Many models of router flush installed apps when they are power cycled.
The next step is to factory reset your router. You’ll find information about how to do this in the manual that came in the box or from the manufacturer’s website. This usually involves inserting a pin into a recessed hole to press a microswitch. When you get your router back up and running, you need to ensure it is on the very latest version of its firmware. Again, consult the documentation that came with your router for details on how to update.
Next, perform a quick security audit of how you’re using your router.
Never use the default user name and password to administer it. All routers of the same model will use that default name and password and that makes for an easy way to alter settings or install malware.
Never expose any internal devices to the internet without a strong firewall in place. This includes things like FTP servers, NAS servers, Plex Servers or any smart device. If you must expose any connected device outside your internal network you can likely use port filtering and forwarding software. If not, invest in a strong hardware or software firewall.
Never leave remote administration enabled. It may be convenient if you’re often away from your network but it’s a potential attack point that every hacker knows to look for.
Always stay up to date. This means check for new firmware regularly, and more importantly, be sure to install it if it is available.
Finally, if you’re unable to update the firmware to prevent VPNFilter from becoming installed (your manufacturer’s website will have details) just buy a new one. I know that spending money to replace a perfectly good and working router is a bit extreme, but you will have no idea if your router is infected unless you’re a person who doesn’t need to read these sort of tips.
We love the new mesh router systems that can be automatically updated whenever new firmware is available, such as Google Wifi, because things like VPNFilter can happen anytime and to anyone. It’s worth having a look if you are in the market for a new router.