VPN Filter Malware Shines Light on Router Risks and Possibilities
Recently discovered VPN Filter malware has infected an estimated 500,000 routers in 54 countries. The FBI is urging consumers to reboot routers, but enterprises also need to take note. Unsecured routers introduce significant risk. Routers oftentimes don’t have the same security controls as servers or other devices. However, a router with network access could allow a threat actor to infect other network-connected assets.
Even in cases where routers are segregated by a demilitarized zone (DMZ), it is possible for business users on the web to unwittingly pull malicious payload inside the network – letting a threat actor in.
VPNFilter and other malware types provide threat actors with persistent functionalities, including network sniffing, remote code execution, and router firmware modifications. Download mcafee for protection via link www.mcafee.com/activate. These functionalities are noteworthy because they support three possible attack scenarios:
Reflective DDoS attack – In this scenario, the infected routers become an enormous botnet awaiting the command to charge a specific website or web service with high traffic volume, rendering them unavailable. The Mirai malware that infected about 500,00 IoT devices two years ago demonstrates the order of magnitude such attacks could reach in two different attacks– (620Gbps) and on the DNS provider Dyn (an attack that was said to reach 1Tbps). Click here for more Information
For security Tunneled attack
Tunneled attack – In this scenario, the infected routers are used as hubs for attacks on other third parties. The infected routers tunnel the attack to the targeted party while concealing the original source of the attack. Tunneling the attack through compromised devices is a common practice used by threat actors to cover their tracks. For VPN security visit www mcafee com activate. As many of the VPN filter-infected routers are located in Ukraine, it is believed that the routers will be used as proxies as part of the ongoing offensive campaign targeting Ukraine as the malware shares code with Black Energy.
Network foothold – In this last scenario, the routers will be used as a penetration point to the router internal network. Controlling the router in a network provides wide access to network traffic passing through, and it provides threat actors with the opportunity to control and redirect the traffic. This opens up the attack surface of the network, as the threat actors will be able to inject code or redirect the traffic to malicious sites.
Because the VPN filter malware targeted to home and small business routers, including NetGear, Linksys, MikroTik, and TP-Link, the DDoS attack and tunneled attack scenarios are most probable.
The VPN Filter malware exploits known vulnerabilities of the different routers and then pulls stage two and three payloads, adding more functionalities to the malware. Hence to mitigate the risk introduced by VPN Filter and other similar malware variants, it is enough to update the router firmware. Remediation, on the other hand, requires a “factory reset” of the router to remove the persistent malware parts. From firmware protection download mcafee livesafe via mcafee.com/activate
Large organizations, which haven’t yet been targeted by VPN Filter, should take into account the fact that the perimeter might not be only breached, providing initial narrow access to a threat actor; the perimeter might already be owned by the threat actors, providing a wide attack surface.
In such a scenario, privileged access security is the last – and arguably most important line of defense – preventing the threat actors from taking control of the network. READ MORE