Routers Under Attack from Russian Hackers
One common element of all networks is the existence of routers. These devices weren’t always used in household networks, but they soon became commonplace with any home network. Because they are so commonplace, hackers have gone after home routers with numerous different attacks. Some attacks make routers a part of a botnet. Others sniff data from the network owner’s traffic. Others crash routers just for fun and shenanigans, and even more attackers use it to watch traffic. Russian attackers have found a new bug in router firmware, and even the FBI is urging people to reboot them to avoid being the next victim of an attack malware named VPNFilter.
Router Malware and Default Passwords
Attackers rely on two main mistakes made by users. Routers are critical components to a network, so they are a part of almost any network. They used to be only a part of enterprise networks, but then many manufacturers made home versions and made them affordable compared to the prices years ago that required hundreds of dollars for a user to own a router in their home.
Users often leave the default password which is why many attackers are able to gain access to routers. Combined with remote access enabled, attackers are able to remotely connect to any router whether it’s a home router or a highly advanced one that is used to protect enterprise networks.
When a user leaves the default password active and then enables remote access, just about anyone can access it as long as the person has the incoming IP address. The difficulty with router defense is that an attacker can gain access to the router hardware completely silently without the user having any clue that the router is compromised.
The first thing all users should do is change their password. It’s not easy for users to understand that their password should change. Plenty of users can read material where router experts say to change the SSID password as soon as you set up the router, but not many remind users to change the admin password when the connect it to the network.
The Latest Attack Named VPNFilter
According to the latest Ars Technica article, The NSA and the FBI have been aware of the latest VPN Filter for a while and have been trying to track its origin and its main purpose for attackers. At first, these government agencies thought that the attacks were regular attackers looking to gain profit such as building a botnet to bring down specific websites or build a way to infect other networks with their malware. However, the FBI has released its latest warning to say that it believes Russian hackers are involved with the attack and they have compromised about 500,000 router devices of common brands such as Linksys and Netgear.
Users are urged to reboot their routers, because by doing so they neutralize and remove the second and third phase of the malware which is used to steal and read data and send it to the attackers. It does not stop phase one, which is used to initialize infection but by rebooting you stop the most important components of the virus from going any further than just the initial infection.
Currently, the malware is only intended to infect neighboring routers and investigators are looking into what other reasons an attacker would have to infect routers, but mainly it seems like the intention is to steal data and infect other routers.
Router infection from a local home router could be done from insider threats. To protect your network from insider threats, check out GateKeeper for more information.
See GateKeeper proximity access control in action.
Take a self-guided tour of how your proximity-based access control can work.