There’s a spy in your closet
Just as a general on the physical battlefield can’t win a war without soldiers, hackers in the cyber world need to enlist masses of minions to assist in their efforts to launch attacks and steal information. Fortunately, most people aren’t willing to help out with such nefarious goals… at least, not willingly. However, hundreds of thousands of unsuspecting users in fifty countries have inadvertently been helping Russian hackers due to some widespread vulnerabilities in common home routers.
Virtually every Internet-connected house has a router. Sometimes this is provided by the user and sometimes by the service provider, from brands such as Linksys, Belkin, TP-Link, QNAP, and MikroTik. Every connection, every packet, every banking transaction between a device at home and the Internet goes through this device. This makes it a critical junction in your home networking service.
At first, researchers thought that the VPNFilter malware at the root of one of the recent infections was primarily used to secretly turn these home routers into unwitting “bots” or agents which could be used to attack a target web site. Malware such as this has been around for years in the desktop world, and is frequently used to support Distributed Denial of Service (DDoS) attacks. A single attacking PC can’t take a bank’s website offline, but when you combine the efforts of thousands or hundreds of thousands of attacking devices it becomes much more feasible.
But it turns out that the VPNFilter malware, released by the Russian hacking outfit known variously as Sofacy, APT28 or Fancy Bear (which you may recognize from the notorious DNC hacks), had additional capabilities which leverage the routers’ prime location on the network. It turns out that the VPNFilter malware, through a feature set known as “essler,” can pose great risks to home users through some really nasty features. These capabilities include:
- Modifying data in connections between the user’s browser and external website
- Converting secure SSL connections to easily read cleartext connections
- Reading and stealing usernames and passwords
- Copying data from connections and sending it somewhere else
None of this would be visible to the user, and it’s impossible to detect by any desktop antivirus software because it doesn’t run on the desktop. Information stolen or changed by the VPNFilter malware might not be discovered ever, or at least not until it’s too late. For example, a password reset command at your brokerage might send a password chosen by the attacker, or commands could be sent to your banking site to transfer money out of your account while making your balance look normal. Even if you use strong passwords and change them regularly, those passwords could be immediately stolen any time you logged onto your work, or bank, or social media account from home. Your home security webcam account could be compromised, and files on your home storage device stolen.
It’s pretty scary stuff.
The FBI initially put out a recommendation asking users to immediately reboot their routers, but a simple reboot is only a partial solution. VPNFilter uses a three-stage attack. The first stage opens a backdoor into the router and it is powerful enough to survive a reboot. Stages two and three actually steal and modify data. Rebooting the router will erase the malware which conducts stages two and three, but because the backdoor still exists the malware can be re-installed. To completely protect the router, the FBI and security experts recommend rebooting, upgrading the device to the latest firmware, disabling remote management, and as always choosing secure passwords.
Now, the real question: have you done this yet?
If not, do it now, or as soon as you get home. I did.
Most home router manufacturers haven taken this very seriously and have posted instructions on their web sites detailing which devices were susceptible and how to secure them. So please, take the few minutes to secure your home router. This will prevent it not only from being used to attack others, but from spying on you as well.
The data you save may be your own.
By the way, October is National Cyber Security Awareness Month - check out other NCASM 2018 posts here.