I'm renting this router from Spectrum and assuming (hopefully correct) that Spectrum has done something on their end as we can't reset the router to factory default settings.
One thing that's confusing is the name of the malware as it seems to say that routers that have been setup with a VPN are affected. If you don't use a VPN, can it still affect your router?
Solved! Go to Solution.
First, these are peer-to-peer forums staffed by customers with experience in the unique technologies of cable systems. We're not Spectrum employees and have neither any financial interest in nor influence over their management or business practices. Now lets move to your question at hand:
Spectrum did not receive any advance information from the device manufacturers, industry trade groups, or government security agencies prior to the public disclosure.
I doubt that any of the regular forum contributors have detailed information beyond that being widely spread by the trade press. I have not seen anyone report issues here in the forums that have been identified as or traced to the VPNFilter malware. Therefore we can't accurately answer your question.
Beginning (today) Thursday, May 31, 2018, Spectrum will conduct a power cycle and firmware upgrades during the maintenance window for all devices managed by Charter on behalf of all customers. Affected customers may restart their routers if desired through spectrum.net/resetmodem. Customers who own their router will need to power cycle their routers manually.
Spectrum-Social Media Customer Care
Lead Moderator-Community Forums
Previously I indicated that forum responders had no detailed information about the VPNFilter malware. Since then both Cisco and Symantec have released additional details that were excluded from the general FBI statement. The articles now appearing on computer-user web sites include a list of known targetted router models. I didn't spot any cable internet combination modem+router gateways on this list.
The information below was copied from an article on the ARS Technica website written by Dan Goodin - 5/23/2018, 4:13 PM
Hard to protect
[Wednesday’s] report is concerning because routers and NAS devices typically receive no antivirus or firewall protection and are directly connected to the Internet. While the researchers still don’t know precisely how the devices are getting infected, almost all of those targeted have known public exploits or default credentials that make compromise straightforward. Antivirus provider Symantec issued its own advisory Wednesday that identified the targeted devices as:
Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.
Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of "some" router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.)
There's no easy way to determine if a router has been infected. It's not yet clear if running the latest firmware and changing default passwords prevents infections in all cases. Cisco and Symantec said the attackers are exploiting known vulnerabilities, but given the general quality of IoT firmware, it may be possible the attackers are also exploiting zeroday flaws, which, by definition, device manufacturers have yet to fix.
What this means is that, out of an abundance of caution, users of the devices listed above should do a factory reset as soon as possible, or at a minimum, they should reboot. People should then check with the manufacturer for advice. For more advanced users, the Cisco report provides detailed indicators of compromise and firewall rules that can detect exploits.