Are the Russians are at it again? This time, authorities believe that Russian hackers have gained access to hundreds of thousands of routers in both homes and small businesses. Talos, the cyber intelligence unit at Cisco, discovered this most recent hacking incident during the week of May 20, 2018. On Friday, May 25, 2018, the FBI issued a notice nationwide urging households, small businesses, and anyone else with a wifi connection to reset their routers and halt the attack. What happened? Whom did this attack affect? How does malware work? What can we do to stop this? To answer these questions, let’s take a look at the specifics.
A Brief Overview
As we have just seen, news broke recently detailing the latest in attacks on unsuspecting victims. The group is believed to be Russian, though the FBI only cited “foreign cyber actors.” Though the FBI was reluctant to name the attackers, the U.S. Department of Justice tracked the malware to a group which goes by many names: APT28, Fancy Bear, and Sofacy. They all have ties to the Russian government. Talos combed through the malware code and found distinct similarities to malware used in recent attacks on devices in the Ukraine, though the Ukrainian attack was much more large-scale.
Who is Affected?
This malware, titled VPNFilter, is mainly targeting the general public, including homeowners and small business owners. Additionally, the hackers compromised an estimated 500,000 routers – namely Linksys, MikroTik, Netgear, QNAP, and TP-Link, among others – across 54 countries. Why? One reason might be the ease with which it is to infect a small-scale router, and then duplicate the attack many times over across devices and neighboring networks. Moreover, any device connected to an infected router is vulnerable to hacking. While we’re still not sure what exactly these hackers are after, it’s safe to say they’re at least looking to inflict damage across a wide population, or many wide populations.
How Does VPNFilter Work?
Though we are still unsure of exactly how VPNFilter is even being installed on home and office routers, we know that it is a multi-stage process:
- Stage 1 – The first stage is to install itself on a device and remain there until it is able to download further instructions for further infection.
- Stage 2 – The second stage is where file corruption takes place. This includes collecting files, extracting and exfiltrating data, executing commands, and device management. Stage two is also where destruction comes into play, namely “bricking” the device, thus rendering it unusable, through a command sent by a hacker.
- Stage 3 – Finally, stage three is an offshoot of stage two and it is able to sift through traffic and steal web credentials (e.g., your Facebook login info).
Thwarting An Attack
If you believe your device has been compromised, don’t worry. There are steps you can take to stop the hackers dead in their tracks before they can cause any more harm:
- First, you should turn off and turn on your router again. This will effectively disrupt the malware and even erase parts of it. It’s worth noting, though, that a router can be reinfected.
- Second, you would do well to set a new password on your router, making it personal to you and hard to guess. Most homeowners will use the password that comes with their router, which can be easily guessed.
- Lastly, you should update your router’s software and firmware. The firmware helps keep your network safe and secure, so ignoring updates leaves your system open to vulnerabilities more and more as each patch is released. Updating is actually pretty easy: get on your computer and go to the router’s admin page. From there, click on either “Advanced” or “Management”, and download and apply the most recent update. Regardless of a known hacking event, you should ideally update or check for updates every three months.
At M&H Consulting, the safety and security of our clients and their respective networks is our main priority. A hack into one’s system can be such a headache to reverse and can even cost you actual money, when all you want is to get some honest work done without having to appease attackers.
Categorised in: Uncategorized