Imagine pulling an ordinary “average joe” off the street and placing him into an NFL playoff game. No football experience, no safety equipment, and no workout regime. What would you expect to happen? That’s about where we stand with the majority of our home internet gateways. These devices are the first/last line of defense and they are hardly up for the challenge. Often our only interaction with them is performing the miraculous power-cycle when the internet is down, bringing the smiles back to our kids’ faces as they resume activity on their devices. Early last year we began receiving notices of available exploits, hard coded admin passwords, and other techniques that could be used to gain access to unsuspecting gateways. Fast forward to this past week, where some pretty sophisticated attacks were discovered and made public by Cisco’s TALOS research team. The extent of the threat poses ability for eavesdropping, persistence, and even completely crippling the device and cutting off accessibility to the internet.
VPNFilter is the malware researchers discovered that has targeted LinkSys, NetGear, Mikrotik, and Qnap products. Based on current estimates over 500,000 devices across 54 countries have been affected. The curious part of this outbreak is the sophistication of the phases of attack.
- Phase 1 provides persistence to the device and leverages metadata in photographs on online storage sites to find the C2 (command and control) servers.
- Phase 2, while not persistent, installs modules to provide the ability to eavesdrop on traffic or modify firmware to brick the device. Essentially it appears the goal would be to lay a foundation software layer and then build new plugins to provide a suite of malicious services. The risk here is amplified due to the nature of the targeted devices. These devices are publicly accessible, rarely updated, and aren’t typically setup to alert when something bad is happening. On top of that, all of your internet traffic from your home or small business is traversing them. Jackpot…
The disclosure of this information has since seen a lot of action from industry and law enforcement, which is a welcome positive response. Vendors have provided patched software for deployment, Cisco Talos alerted other members of the new Cyber Threat Alliance and have seen signatures and threat intelligence around the Indicators of Compromise released to speed detection, and the FBI has seized the primary C2 domain used to deploy the phase 2 bundle. The recommendations for users and services providers are to reboot and factory reset devices when possible to remove the malware, and update to the latest firmware free from vulnerability.
As cyber security practitioners for our organizations, and quite often our families, it’s important to keep in mind these new vectors of attack. As more and more devices are connected and as we operate more online, the attack surface will continue to grow. It’s important we maintain vigilance and awareness for what and how we connect to our digital worlds. Keep a strong cyber security hygiene of asset inventory, vulnerability management and user awareness. Lack of knowledge is the weakest link.
Click here to register for an upcoming webinar, presenting by Talos:
What You Want to Know Webinar with William Largent, Security Research Engineer, Talos Outreach – Tuesday, June 5, 2018 @ 11 a.m. ET. Register here.
Click for Talos findings and in-depth write-up, including a full list of affected devices: