On May 23, 2018 Talos, a threat research branch of Cisco, released an article pertaining to its ongoing research into a complex malware system called “VPNFilter.” The security group, along with “public- and private-sector threat intelligence partners and law enforcement,” estimated that over 500,000 devices were infected with the VPNFilter in “at least 54 countries.” Most of the devices that are infected with this particular malware are routers from various companies such as: Linksys, MikroTik, NETGEAR, and TP-Link.
Talos points out that this malware is unique compared to most malware viruses in that it is able to survive a reboot of the device, which every other known malware could not do. This is the first stage of the malware infection which supplants itself into the device to prepare for stage two. In stage two, the malware can collect files, data, and any information that passes through the device. Certain versions of the malware can self-destruct, rewriting firmware in the device and destroying it. This leaves no ability to trace the source of the virus.
According to The New York Times, the malware seems to have connections to Russian hackers, and the majority of the initial attack took place in the Ukraine but has since spread.
The malware can, for example, allow attackers to “load a fake banking site on your computer browser that looks like the one you normally use and steal your credentials and clean out your bank accounts.”
On June 6, 2018 Talos followed up their report with additional information regarding the security threat. They report that more devices had been impacted than previously thought. The group is worried that attackers can take down swaths of Internet coverage, and while attackers have already destroyed hundreds of thousands of devices, Talos believes that they have the capability to take down greater numbers at a faster pace.
One thing consumers, and even most tech professionals, do not do is update router software and firmware. A 2014 study from Tripwire shows that only 32 percent of I.T. professionals “knew how to update their routers with the latest firmware.” By extension, very few day-to-day consumers know how to update their routers as well.
There are a few ways that people can protect themselves from these attacks:
- Regularly update router firmware
- This can be done by using a router’s unique IP address which can be entered into a web browser, the same way as a website, to pull up the router’s webpage. Using the login information found on the router, the webpage can be accessed, and updates can be downloaded and installed from there.
- Change the router log-in information
- Typically, the router webpage log-in information is generic and should be changed after it is accessed for the first time.
- Replace the router every few years
- After the company stops sending firmware updates, the router has reached the end of its updating capability to fight off future attacks adapted to old protection. According to Talos the majority of routers impacted by the VPNFilter were five years or older.
Another technique is to buy a modern “smart” Wi-Fi system with automatic updates. Usually these systems are more expensive but are expected to last longer than traditional routers. In an environment with ever growing cyber security threats, coupled with increased internet personal data storage, security is now the most important aspect of device usage, and understanding it could be a significant part of maintaining that security.