UPDATE: The FBI Issues PSA on VPNFilter Threat to Routers
The FBI issued a Public Service Announcement on Friday, May 25, updating their guidance for owners of small office/home office (SOHO) routers to combat the threat of the VPNFilter malware. The FBI is now recommending all owners of SOHO routers, regardless of the manufacturer, reboot their devices to temporarily disrupt the malware’s second and third stages. The first stage of the malware, providing it persistence, will still be present after a reboot. To ensure the malware is completely removed from the router, users are advised to reboot and then reset their routers to factory, default settings. This is typically done by holding down a small button on the back of the router. Resetting will require the user to reestablish their configuration settings. Conducting a reboot followed by a reset will allow the device to reconnect to the C2 server associated with VPNFilter (now controlled by the FBI) via its persistence capability, providing the FBI with an accurate count of infected devices and a list of vulnerable devices. A subsequent reset will then wipe the malware from the device. The size and scope of VPNFilter is significant and the investigation is still ongoing. The FBI is also advising all Wi-Fi router owners and administrators to establish strong passwords and enable encryption for remote management settings or consider disabling remote access altogether. For additional information and recommendations, please review the US-CERT Alert and the original NJCCIC threat alert.