Roughly half a million devices were infected by an elaborate man-in-the-middle attack perpetrated by a group of Russian hackers last May. But you might want to check your router – according to reports, the malware is still out there.
Low Consumer Awareness of Router Security Enables Attacks
While IT security focuses on newer tech like web apps, with widely used tools like a WAF protecting web applications – including log-in pages – from OWASP Top 10 threats like SQL injections and cross-site scripting, most consumers are clueless on whether their routers offer specialized built-in firewalls – let alone how to turn them on. This lack of awareness on how easily a router can become a source of vulnerabilities means that router security still lags behind – and this is especially true for consumer-grade routers. Across millions of households around the world, there are countless routers that are on and plugged to a power source 24/7, with minimal safeguards in place: a recipe for success for cybercriminals looking for devices to recruit in their botnet. This is exactly what Russian hacker group Fancy Bear thought – and decided to launch attacks against routers as part of their strategy to build a botnet.
Major Manufacturers Affected across 54 Countries
It was the FBI that tied the attack to the Russian group, when authorities seized a domain that was used in the attack. The hackers used a piece of malware that has been dubbed VPNFilter by the researchers who have uncovered it, which targets routers as well as IoT and NAS devices. The attack saw devices across major manufacturers infected, including Linksys, TP-Link, NETGEAR, and MikroTik. QNAP NAS boxes were also found to be affected, while a second wave of inspections uncovered a string of infections across other manufacturers like D-Link, ASUS, and Huawei. Security researchers identified roughly 500,000 pwned devices across 54 countries, according to a report published on Ars Technica on June 6th, 2018 – yet the malware was still reportedly going strong at the end of September 2018. Initial observations found that the ssler was designed to downgrade secure HTTPS traffic to simple HTTP connections in order to be able to overcome TLS encryption.
Botnets among Leading Types of Cybercrime
After downgrading security, the malware would falsely inform the user that a secure connection was not possible – although it still allowed secure traffic over sites like Google, Twitter, and YouTube due to the added security they offer. According to the same report, researchers stated that after further examination they concluded that the malware used a ssler module to perform a sophisticated man-in-the-middle attack. The attackers mounted an attack that saw malicious payloads injected into incoming web traffic which went through an infected server – and then took advantage of vulnerabilities across the infected network. According to research, botnets are among the leading types of hacker attacks targeting companies globally as of August 2017, since 63% of respondents stated that they had experienced botnet attacks. The leading cause is still malware, with 98% of respondents having undergone an incident involving malware, while 69% have withstood phishing and social engineering vectors and 67% web-based attacks – which makes botnets no. 4 on the list.
Botnets are extremely dangerous particularly because they can remain unhidden for a long time – so, for better or worse, check your router and NAS devices immediately.