If you have a home or small office router, the FBI suggests you immediately reboot it to counter Russian-linked malware VPNFilter.It doesn\u2019t take long to simply turn your router off and then back on, and the payoff is worth it, considering it\u2019s within your power to counter Fancy Bear-linked malware that is capable of everything from stealing information to rendering the router inoperable.The malware, which has so far infected at least 500,000 small office and home office routers in 54 countries, has been dubbed VPNFilter. It\u2019s linked to the Sofacy Group, aka Fancy Bear and APT 28, a sophisticated cyber-espionage hacking group backed by the Russian military intelligence agency.VPNFilter, according to a trio of three-letter agencies \u2014 the FBI, DHS, DoJ \u2014 has infected not only hundreds of thousands of SOHO routers, but also other network-attached storage (NAS) devices.On Wednesday, May 23, Cisco Talos warned that the estimated number of infected devices was \u201cat least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.\u201dTalos security researchers added, \u201cThe malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.\u201dAlthough Talos claimed Cisco devices have not been observed to be vulnerable, the FBI recommended rebooting all SOHO routers. The bureau called the size and scope of the VPNFilter infrastructure \u201csignificant,\u201d yet the initial infection vector is \u201cunknown.\u201dThe FBI advised:The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.Additionally, the FBI suggested \u201cdisabling remote management settings on devices and secure with strong passwords and encryption when enabled.\u201dHomeland Security\u2019s ICS-CERT issued an alert that stated:DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware.Network device management interfaces \u2014 such as Telnet, SSH, Winbox, and HTTP \u2014 should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities.Identifying infected devicesRebooting routers will basically kill off VPNFilter stages 2 and 3, but stage 1 will remain after the reboot wipes the other stages. In other words, even after clearing the router by rebooting it, it is \u201cdifficult to prevent reinfection\u201d of devices infected with the first stage of VPNFilter.That\u2019s where the Department of Justice announcement comes into play. The FBI seized the domain toknowall.com, which is considered to be a critical part of Fancy Bear\u2019s VPNFilter command-and-control infrastructure, \u201cin order to identify infected devices and facilitate their remediation.\u201dThe Justice Department explained:This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs).\u00a0WritIng on the Daily Beast, Kevin Poulsen first reported the tie between VPNFilter and the Russian hacking group Fancy Bear. Vikram Thakur, technical director at Symantec, told Poulsen that the FBI will not be able to access a victim\u2019s browser history or other content.Devices vulnerable to VPNFilterSymantec published a list of devices that are definitely vulnerable to VPNFilter: \u00a0Linksys E1200Linksys E2500Linksys WRVS4400NMikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072Netgear DGN2200Netgear R6400Netgear R7000Netgear R8000Netgear WNR1000Netgear WNR2000QNAP TS251QNAP TS439 ProOther QNAP NAS devices running QTS softwareTP-Link R600VPNAs noted previously, the trio of government agencies are not limiting potentially vulnerable devices to any list. So, reboot routers, disable remote management, make sure firmware is updated, and change default passwords.