At least half a million routers and storage devices in dozens of countries around the world have been infected by a sophisticated botnet, in preparation for an alleged planned cyber attack on Ukraine. The botnet, which has been given the rather unglamorous name of VPNFilter, is believed to be likely to be controlled by a state-sponsored hacking group variously known variously as APT28, Pawn Storm, Sandworm, Fancy Bear and Sofacy. Cisco Talos researchers have been working with security industry partners and law enforcement for months investigating the botnet, which like the infamous Mirai botnet focuses its attention on hijacking IOT devices like routers and network access storage (NAS) devices rather than regular PCs. Although the investigation is not yet complete, the researchers decided to go public with their findings after uncovering evidence that an imminent cyber attack might be being planned against Ukrainian infrastructure.
For its part, Ukraine's state security agency has claimed that the report suggests that Russia was planning a major cyber attack ahead of the UEFA Champions League football final, due to take place at the NSC Olimpiyskiy Stadium in Kiev on Saturday. So, should you be concerned if you aren't based in Ukraine? Well, of course you should! Even if you aren't in imminent danger of being targeted by the botnet itself, you certainly don't want to be part of the problem. Everybody who is on the internet should play their part in ensuring that the internet stays as safe as possible - and that means not contributing to the problem. If you follow basic security hygiene it's not hard to protect your own IoT devices, but if you don't you are making things more dangerous for everybody else on the internet. So far VPNFilter has been seen affecting small office/home office routers from Linksys, MikroTik, Netgear, and TPLink, in addition to QNAP NAS devices. Affected devices include:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- QNAP NAS devices running QTS software
- TP-Link R600VPN
VPNFilter relies upon a command-and-control infrastructure set up by the gang, who can send commands to the botnet through metadata hidden within particular images on Photobucket.com. With the images removed from Photobucket, the VPNFilter botnet turned to a backup server, toknowall.com, for its instructions. As The Daily Beast reports, the FBI seized control of toknowall.com domain yesterday, preventing the malware from reactivating if affected IoT devices are rebooted. In other words, the simplest action you can take to stop any attack from the botnet being executed from your router is to reboot your device. To be more certain that your devices have not been compromised, you should do a hard reset - returning the router or NAS device to its factory settings. This is often done by pressing and holding a reset switching while turning the device on and off again. Obviously you should also check that your device is running the latest firmware update, ensure that you are not using an easy-to-crack or default password, and - if you have no need for it - I would recommend disabling remote management services. In statement, John Demers, the US Assistant Attorney General for National Security, described the takeover of the botnet's command-and-control infrastructure as an attempt to hamper the hackers' efforts:
"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."
VPNFilter is far from the only botnet out there, and there are lessons for computer users to learn about keeping their routers better secured from attack. Here are some general tips about how to better harden your IoT security:
- Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
- Update IoT devices with security patches as soon as patches become available.
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Purchase IoT devices from companies with a reputation for providing secure devices.
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Understand the capabilities of any internet-enabled devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be exploited.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.