Your Router is Infected, and... You Don't Know It!

8/9/2018 - By Bob Woock, MCSE

It is possible your small office or household routers are being compromised without your knowledge with a new malware known as VPNFilter. 

WHAT YOU NEED TO KNOW

Starting on May 23, 2018, the FBI and Justice Department asked the nation to reboot their routers.  This did not fix the problem and routers and firewalls are still very vulnerable.

WHAT'S THE WORST THAT CAN HAPPEN?

Criminals can gain access to your router/firewall via this router malware:

• Criminals can steal sensitive information
• Manipulate what you see
• Worm their way into your network
• Install rootkits and more malware on your computers
• Find who your key personnel and systems are in order to steal more things of value
• Push ransomware or just damage data and systems.

WHAT CAN I DO?

Some router vendors have issued patches that need to be manually downloaded and installed.  You can check this list to see if your router is known to be vulnerable. However, the issuer of this list has stated, “Given our observations with this threat, we assess that this list may still be incomplete and other devices may be affected.”

CAN YOU PUT IT IN LAYMAN'S TERMS?

Here is what we know.  The FBI and the Justice Department placed a nationwide call on May 23, 2018, for everyone to reboot their routers, which you can read here. It has since been found that this was a very temporary solution that only allowed the FBI to take down the primary command and control sites for a malware threat called VPNFilter.  The rebooting of routers assisted the FBI in finding these sites and stopping the primary push of the malware to your router.   What the reboot did not resolve was the ability to infect your router by other means using the same malware.  

The Cisco Talos Intelligence group, which is one of the world’s largest commercial threat intelligence teams, issued a follow up article explaining the continuing threat. In the article, which is very technical, they describe several stages to the exploiting of common household and small business routers.  What was found after the reboot of routers, as requested by the FBI, is that the infection/exploit remains on the router in what is called stage 1.  If the stage 1 infection cannot find the command and control sites, it goes into listening mode.  Meaning your router is still infected and is now listening for additional commands. 

Initially the FBI thought these routers were only being used to attack other systems.  But now it has been found that the listening mode allows criminals to gain access to your router, and they can install additional features that allow them to do what is called man-in-the-middle attacks which can steal sensitive data and manipulate the information you see.  

Talos senior technology leader Craig Williams in an interview with Ars TechnicaOne described it like this, “They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money…. They can manipulate everything going in and out of the device.”  Once in the router, criminals would be able to deploy any desired additional capability into your network environment to support their goals, including rootkits to take over your computers, stealth monitoring of your network to learn about key personnel or systems and destructive malware.

WHAT DOES SALTMARSH RECOMMEND?

We recommend using Sonicwall, pfSense, or Unifi USG router/firewalls instead of the common off-the-shelf routers.  These router/firewalls can update themselves or are easily monitored by our network operations center, so they can be kept up to date.  These systems also come with Intrusion Protection and Detection Systems and GEO-IP filters that add many layers of protection to keep bad guys out of your router and your network.

If you have any questions, call our team at (800) 477-7458 or email us to receive a quote and assistance in creating and setting up a Cybersecurity plan for your business.

Additional Articles

• FBI PSA: Foreign Cyber Actors Target Home and Office Routers and Networked Devices Worldwide
• Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices
• Ars Technica: FBI Tells Router Users to Reboot Now to Kill Malware Infecting 500k Devices
• WCCFTech: Growing List of Routers Known to be Infected

About the Author | Bob Woock, MCSE
Bob is a manager in the Information Technology Services Department of Saltmarsh, Cleaveland & Gund. His primary areas of experience include providing managed IT services for medium and small businesses across various industries such as manufacturing, accounting, and healthcare. He has over 30 years of IT experience working in database and network administration as well as cyber security, both in the private sector and with the United States Marine Corp.

View Full Bio

Related Posts

• Saltmarsh Hosts 18th Annual BankTalk
• Juice Jacking and How to Avoid It
• Managing Risk Part 2: Reducing Fraud with Access Controls
• Managing Risk: Fraud Deterrence Is Always a Priority
• Banking Artificial Intelligence
• BankTech Bytes: Banking Artificial Intelligence
• BankTech Bytes: Honest Abe's Lessons on Resiliency
• Watch Out for Those Hackers - It's Cybersecurity Awareness Month!
• Saltmarsh Hosts 17th Annual Community BankTalk Event
• Don't Become the Next Victim of a Social Engineering Attack
• Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
• BankTech Bytes: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
• White Paper: Manufacturing Outlook, Leveraging Technology Today
• Webinar Recording: Trends in D&O and Cyber
• Elevate your Third-Party Risk Management Program
• BankTech Bytes: Elevate your Third-Party Risk Management Program
• Cryptocurrency - It's Time to Acknowledge the Elephant in the Room
• The FFIEC's New AIO Handbook
• BankTech Bytes: The FFIEC's New AIO Handbook
• Why Your Company Needed to Invest in Cybersecurity Yesterday
• GovCon Updates of the Week Part 11
• WEBINAR MATERIALS: The Rise of Ransomware - The Evolution, Risk & Recovery
• GovCon Updates of the Week Part 9
• DOL Issues Cybersecurity Guidance for Retirement Plans
• The Evolution of Ransomware
• View All Articles

• Blog
  • Audit & Assurance
  • Construction
  • Employee Benefits
  • Financial Institutions
  • Healthcare
  • Human Resources
  • Information Technology
  • Investment Advisory
  • Legal
  • Manufacturing
  • Not For Profit
  • Tax & Accounting
  • What's Happening At Saltmarsh
• Tools & Resources
• Videos