Router Attack: Users Should Reset Routers to Factory Default, Not Just Reboot

The FBI and the Internet Crime Complaint Center (IC3) have issued a public service announcement advising owners of small-office and home-office routers to power cycle their devices to remove a new piece of malware. However, users should actually reset them to factory defaults to really clean the infection.

The request comes in response to VPNFilter, a sophisticated malware program that has enslaved more than 500,000 routers worldwide and which is believed to be the work of a Russian state-sponsored cyberespionage group known as Fancy Bear or APT28.

“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices,” the FBI said in the announcement. “Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”

Simply rebooting the devices will temporarily disable the malware’s main functionality, but will not completely remove all of its components. According to researchers from Symantec, the best way to ensure the malware gets deleted is to perform a hard reset, which restores factory settings.

VPNFilter has several components that are installed at various stages of the infection chain and, unlike most other router malware, it can persist on devices across reboots. More specifically, VPNFilter’s first-stage component can modify the NVRAM (non-volatile random access memory) and set itself up to start at boot.

The lightweight persistent component acts as a downloader for the second-stage payload, which implements most of the malware’s functionality. This secondary component has to be redownloaded and reinstalled every time an affected device is rebooted, but the FBI has managed to partially disrupt this step by seizing a domain name used by attackers.

However, it’s worth pointing out that the persistent downloader has a fallback mechanism for downloading the malware, but it requires attackers to send specifically crafted network packets to all routers, which is not straightforward and will take some time.

In conclusion, it’s important to understand that simply rebooting the device will not remove the first-stage component. To do that, users have to clear the NVRAM, which is used to store all of the router’s settings. Unfortunately, after performing this action the device will need to be reconfigured.

It is also important to flash the latest firmware version available for your device, as most of the affected vendors have patched the vulnerabilities that are used to infect devices in the first place.

According to Symantec, the devices targeted by VPNFilter include: Linksys E1200; Linksys E2500; Linksys WRVS4400N; devices running Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072; Netgear DGN2200; Netgear R6400; Netgear R7000; Netgear R8000; Netgear WNR1000; Netgear WNR2000; QNAP TS251; QNAP TS439 Pro; other QNAP NAS devices running QTS software and TP-Link R600VPN.

Researchers Defeat AMD’s Secure Encrypted Virtualization

A team of researchers has devised an attack that can bypass the Secure Encrypted Virtualization (SEV) feature built into AMD’s Epyc server processors.

SEV allows virtual machines running on a server to encrypt their memory to protect its contents from other malicious guests, physical attackers or even a compromised hypervisor. In cloud environments, this feature is supposed to give customers confidence that their data remains secure even if there’s a rogue administrator working for the service provider.

The researchers from the Fraunhofer Institute for Applied and Integrated Security in Germany have dubbed their new attack SEVered and it allows a malicious hypervisor to extract the full contents of an SEV-encrypted virtual machine’s memory in plaintext.

“SEVered neither requires physical access nor colluding virtual machines, but only relies on a remote communication service, such as a web server, running in the targeted virtual machine,” the researchers said in their paper.

Mitigating the attack will likely require re-engineering of the AMD SEV feature, as software-based countermeasures are insufficient to prevent the information leaks that make the attack possible.

“The best solution seems to be to provide a full-featured integrity and freshness protection of guest-pages additional to the encryption, as realized in Intel SGX,” the researchers said. “However, this likely comes with a high silicon cost to protect full VMs compared to SGX enclaves.”

Featured eBook
Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Digital transformation requires new approaches to security, demanding the protection of machine identities that enable authentication and encryption required for secure machine-to-machine communication. Solving machine identity protection challenges within DevOps environments, requires a fundamentally new approach. Information Security teams must deliver a frictionless, automated solution that allows DevOps engineers to seamlessly provision and manage certificates ... Read More

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin