A few weeks ago, Cisco (which had collaborated with other partners, including the FBI) announced that nation-state hackers, allegedly working on behalf of a Russian military-backed organization, infected more than 500,000 small-office and home (SOHO) routers in 54 countries with malware dubbed “VPNFilter.”
Initial reports noted that the malware collects information from infected consumer routers such as Linksys, MikroTik, Netgear and TP-Link devices, and contains a “kill command” that renders some or all of the infected devices unusable.
Even more problematic, more recent information has since suggested that the attack was worse than initially thought:
- Routers from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE are also vulnerable to VPNFilter, putting an additional 200,000 routers around the world at risk.
- VPNFilter facilitates man-in-the-middle attacks by injecting malware and other malicious content into traffic as it passes through an infected router.
VPNFilter can also ‘sslstrip” HTTPS requests, downgrading them to HTTP, which makes it easier for hackers to bypass encryption and steal login credentials such as usernames and passwords. What’s more, it’s one of the few Internet of Things compromises that can survive a system reboot.
How Hackers Exploited the Devices
The hacking group responsible for the cyberattack is Sofacy Group, also known as Fancy Bear and APT 28. Researchers are still not certain how devices become infected, but they have identified conditions that likely let SOHO routers become compromised:
- Many of the targeted devices already contain publicly known vulnerabilities that are difficult for average users to patch
- Most of the hacked devices lack any built-in malware protection, which makes them especially vulnerable
Once a susceptible router is infected, VPNFilter operates in three successive stages. In stage one, it infects devices that run Linux-based firmware and adds itself to the Linux job scheduler so that that it can remain persistent after a reboot.
In stages two and three, VPNFilter orchestrates the more sophisticated, damaging aspects of the attack. This is where the kill command, credential theft, and man-in-the-middle attacks occur. Stages two and three are not persistent, meaning that a reboot will downgrade the attack to stage one.
VPNFilter is global in reach, and must be taken seriously by businesses and consumers.What to Do Now
The FBI is in the process of identifying all types of infected devices. In the meantime, assume that your router has been infected and take precautionary steps accordingly.
VPNFilter is persistent, making it extremely difficult to defend against. Still, the FBI recommends performing a factory reset. This will revert the infection to its first stage. Next, change the default password on the device, disable remote administration and patch the router with the latest firmware.
Given the persistence, complexity, scale and potential implications of this cyberattack, we highly recommend that you take these actions as soon as possible. And as a general best practice going forward, always ensure your routers are up to date with the latest firmware.
Minimize Risk of Future Attacks
“Actively monitor inbound network traffic for suspicious payloads.”
VPNFilter is not the first botnet of its type and it won’t be the last. This fact alone should prompt small and mid-size businesses to take extra precautions if they hope to protect against potentially dangerous or operationally crippling cyberattacks. Businesses must prioritize patching for internet-connected endpoints that could become vectors for compromise. These include routers and other IoT endpoints as well as other forms of middleware and software.
Equally important, SMBs and small to midsize enterprises (SMEs) must employ 24/7 threat monitoring and incident response. VPNFilter activity was recorded as early as August. A small business with a compromised device can only detect the danger by actively monitoring inbound and outbound network traffic for suspicious payloads. Otherwise, there’s no way to know that VPNFilter puts it at serious risk of credential theft and man-in-the-middle attacks.
Threat Detection and Response
Arctic Wolf helps organizations detect cyberattacks such as the VPNFilter attack in real time with its threat detection and incident response service, offering continuous monitoring at a predictable price. Our security engineers also perform regular vulnerability scans to identify external-facing IT systems that risk being probed by hackers, and provide a recommended course of action to remediate any risk.
