Cyber Group Targets Home and Office Routers and Networked Devices Worldwide
Last week, the Justice Department announced that foreign cyber actors infected home and office routers and other networked devices worldwide. This group of actors, known as the “Sofacy Group,” used malware dubbed VPNFilter to target small office/home office (SOHO) routers. VPNFilter malware uses modular functionality on SOHO routers to collect intelligence.
According to Cisco Talos, the estimated number of infected devices was at least 500,000 in at least 54 countries. The FBI called the size and scope of the VPNFilter infrastructure significant, yet the initial infection vector is still unknown.
Here are some prominent points regarding this attack:
- VPNFilter appears to target and affect unpatched SOHO-type routers, specifically made by Linksys, MikroTik, Netgear, TP-Link, and QNAP. Here is a complete list of all known affected devices.
- It appears to need services to be exposed to the Internet.
- Most known infections are outside of the US.
It’s important to note that the risk to businesses is going to be mostly from their users’ home environments. It is unlikely that any serious business will have a vulnerable router on their perimeter.
Here are a few tips that will help reduce risk posed by this and other attacks.
At the office:
- Run commercial-grade networking equipment with strong manufacturer firmware support.
- Keep up with firmware patches.
- Harden all externally facing devices. Ideally, they should have no services exposed to the Internet.
- Use strong authentication: Change/remove default credentials; if possible, use multi-factor authentication (MFA); limit access to specific networks (part of hardening).
- Perform external penetration testing to identify listening services and vulnerabilities.
- Log and monitor, set up an Intrusion Detection System (IDS).
- Require strong authentication (MFA preferred) and encryption for remote access (this is to mitigate risks posed by weak user home network security).
- If running a potentially affected router, reset to default and set up a new one.
- Harden the router.
- Apply latest security patches to the router.
- Use strong authentication: Change/remove default credentials; if possible, use MFA; limit access to internal home network (part of hardening).
If you or your organization have any questions regarding how to best stay secure, please reach out to our security experts with questions and concerns.