VPNFilter Malware: What should you do?

VPNFilter Malware: What should you do?

Last week the FBI issued a warning recommending anyone with a small office or home router to reboot their device to stop a malicious malware, dubbed VPNFilter. This malware is estimated to have infected more than half a million routers worldwide. Sabai Technology has not found any evidence of Sabai OS Routers being infected. However, we are still encouraging all users to take the following safety measures.

If you are looking for help with a stock firmware router such as Netgear, Asus, Linksys, TP-Link, D-Link, etc, please feel free to skip to the end of this article. 

If you have changed your default login credentials for your Sabai OS Router:
This includes both your SSID (WiFi password) and the administration password which is used when accessing the router’s control panel via the IP address.

If you have changed all of the default usernames/passwords for your Sabai OS Router, we recommend you reboot your Sabai OS router. Power down your Sabai OS Router for at least 2 minutes before turning it back on. Power to your router can be shut off either by the unit's on/off switch (if it has one) or by unplugging the power cord. We also recommend you power cycle any other routers, repeaters, extenders, NAS devices and/or modems on your network.

If you have not changed the default login credentials for your Sabai OS Router:
This includes both your SSID (WiFi password) and the administration password which is used when accessing the router’s control panel via the IP address.

If you have not changed all of the default usernames and passwords for your Sabai OS Router, we are recommending a factory reset. Please note, this will erase any custom configurations including your VPN information. Make note of any custom configurations (like port forwarding) and check your internet type before resetting your router.

Here are the steps to check your internet type:

1. Connect a computer to the Sabai Router via Wifi or Ethernet. (Ethernet/Hardwire is highly recommended. If you have an Asus RT-AC56U or RT-AC56R with Sabai OS you must be hardwired.)

2. Open a web browser and enter 192.168.199.1 in the address bar.

If you are prompted for login credentials the default username is admin and the default password is sabaipass123.

3. Click on Network > Basic and under the WAN / Internet section check the Type and make note of what type is set. 

- If the type is set to PPPoE then also take note of the username and password.

- If the type is set to Static then also take note of the IP address, the Subnet Mask, the Gateway and the Route Modem IP.

- If the type is set to DHCP you do not need to do anything.

4. Save this information. You will need it after you reset your router.

Here are the steps to reset your Sabai OS Router:

1. Connect a computer to the Sabai Router via Wifi or Ethernet.

2. Open a web browser and enter 192.168.199.1 in the address bar.

If you are prompted for login credentials the default username is admin and the default password is sabaipass123.

3. Once logged in, click Backup on the main menu.

4. Under the section "Restore default configuration" click the drop-down labeled "Select..." and choose "Erase all data in NVRAM memory (thorough)"

5. Click "Ok"

6. Your router will reset. Once complete, click "Continue". This will reload the router's IP address 192.168.199.1.

If your computer is not hardwired, you will need to reconnect to your Sabai Router before continuing. To do that, select Sabai24 (or Sabai58, Sabai58-1, or Sabai58-2 depending on your router model) from your available WiFi networks. The default WiFi password is sabaipass123.

Then open a web browser and enter 192.168.199.1 in the address bar. If you are prompted for login credentials the default username is admin and the default password is sabaipass123.

Next, you will need to activate your Sabai OS Router.


Here are the steps to activate your router:

1. Enter your email address and click “activate manually".

2. Copy the string of text in the Code Box.

3. Paste the string of text in an email to activation@sabaitechnology.com. Someone will reply to your email with your activation token. Please allow up to 1 business day for a response. As a reminder our business hours are Monday-Friday 8am-6pm Eastern Time.

4. Enter your token in the Activation Token box.

5. Click "Activate".

Your router is now activated. Next, you will need to change the SSID and WiFi Password.


Here are the steps to change your WiFi credentials:

1. From the router’s control panel click Network > Basic on the main menu.

2. Scroll down to the Wireless Section(s). Depending on your router model you will see 1, 2 or 3 sections with any of the following names: Wireless (2.4 GHz / eth1), Wireless (2.4 GHz / eth2), Wireless (5 GHz / eth1), Wireless (5 GHz / eth2), Wireless (5 GHz / eth3). The password and SSID should be changed for all available sections.

3. Click in the SSID box. Erase the current SSID and enter a new one. This is not required, but we recommend it.

4. Click in the Shared Key box. Erase the current password and enter a new secure password.

5. Repeat steps 3 and 4 for all available wireless sections.

6. Click Save.

If your computer is not hardwired, you will need to reconnect to your Sabai OS Router, using your new WiFi credentials, before continuing.


Here are the steps to change the administration login credentials used to access your control panel:

1. From the router’s control panel click Administration > Admin Access on the main menu.

2. Scroll to the Username and Password section.

3. Enter a new username and a secure password in the appropriate fields.

IMPORTANT! Be sure to save / store your new login credentials in a secure location. If you forget your administration login credentials, the only way to access the router's control panel is to perform another factory reset.

4. Click Save.

Next, you will need to re-apply the WAN / Internet settings you made note of in the very first step.


Here are the steps to re-apply your internet settings

1. Click on Network > Basic on the main menu and change the Type to the one you took note of.

2. Enter the remaining information you took note of.

- For PPPoE enter the username and password.

- For Static enter the IP address, the Subnet Mask, the Gateway and the Route Modem IP.

- For DHCP you do not need to do enter any information.

Lastly, you will need to configure your VPN information. For instructions on how to do that please visit our setup page and follow the appropriate instructions. Remember to use your new login credentials when accessing your router.

If you have a current/active subscription to Sabai Freedom and prefer to have live help from one of our technicians, you can schedule a remote session here. Please select “Factory Reset & Setup” from the list of available options when scheduling your appointment. All Sabai OS Router purchases include one-year of Sabai Freedom Technical Support.


Here’s some additional information on VPNFilter

What is VPNFilter?
A malicious malware which targets a range of routers and NAS devices that can spy on traffic, collect data on your network and render infected devices unusable.

Who is responsible?
The FBI believes the malware was created by Fancy Bear, a Russian cyber espionage group also known as APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM.

How does VPNFilter work?
The malware is installed in three stages. Stage 1 is to install a persistent loader on the router. At this stage the malware modifies the router’s NVRAM allowing the malware to stay present on a router even after a reboot. This is why we recommend erasing the NVRAM (a factory reset) for any router still using default passwords. Stages 2 and 3 allows the attackers to execute commands that can make further modifications to the router and even “brick” the router or render it useless. Plugins, such as a packet sniffer, are installed allowing the attackers to spy on network traffic and collect confidential information such as website login credentials. For in-depth details on these stages, we recommend reading this article and then this article. 

How do I know if my router is infected?
There is no easy way to know if your router is infected. If you have any suspicion at all or you have not changed the default passwords on your router, the best option is to perform a factory reset on your router. After a factory reset, you’ll need to change the router’s default login credentials.

What should I do?
The FBI recommends rebooting your router. However, if you’re still using your router’s default login credentials (for WiFi or to access your router’s control panel) rebooting may not be enough. The best option is to perform a factory reset on your router. This restores your router to its original state. Just remember, after you reset your router, you’ll need to immediately change your login credentials. (both the WiFi SSID and password and your admin password (the password used to access your router’s control panel via its IP address.) Common dafault login/password combinations are admin/admin, admin/password, admin/[blank] 

How do I factory reset my router back to its default settings (hard reset)?
Below are instructions on how to perform a factory reset on some of the top brands in the router industry. Additionally, you'll find instructions on how to restore a DD-WRT router back to its original settings.  For instructions on how to reset your Sabai OS Router, please see the step-by-step instructions at the top of this article. 

Netgear

Asus

Linksys

TP-Link

D-Link

Google

TrendNET

Ubiquiti

Synology

DD-WRT

Need help resetting your router or additional technical support?
Sabai Technology is known worldwide for our elite, US based, technical support. Don’t just take our word for it, check out our reviews here and on Facebook. Sabai Tour is a one-time technical support remote session that covers practically any home or small business router (not just Sabai OS Routers). Our technicians are happy to help with any basic router or networking issues you have, including factory resetting your router. In fact, we guarantee it. If we can’t fix the issue, we’ll refund your money. If you have questions about our technical support plans, you can email us at support@sabaitechnology.com.  

May 31st 2018

Recent Posts