A new malware, known as VPNFilter, recently identified by Cisco Talos Intelligence Group, may have infected upwards of 500,000 routers and network-attached storage devices (NAS), many of which are in small businesses and home offices. What makes this an especially vicious cyberthreat is that it has what's called "persistent" threat capability, meaning that it does not go away just because a router is rebooted.
According to Symantec, "data from Symantec's honeypots and sensors indicate that unlike other IoT threats ... it [VPNFilter] does not appear to be scanning and indiscriminately attempting to infect every vulnerable device globally."
That means that there is likely some strategy and objective to what is being infected. Symantec has identified devices from Linksys, MikroTik, Netgear, and TP-Link, and QNAP as potential targets. (See a full list here)
So, how did the devices get infected? Little is known or being disclosed at this point, but it appears that this isn't the result of what's known as a Zero Day vulnerability, these are inherent flaws in the software or hardware that create a sort of backdoor through which an attacker can breach the device. Instead, it seems that hackers used standard default usernames and passwords to infect devices or gained access through known vulnerabilities that should have been patched through regular software/firmware updates. This is the same sort of mechanism that has resulted in massive breaches such as that suffered by Equifax last year and it is probably the single greatest source of cyber-vulnerability--and the easiest to correct!
It's also not clear who the hackers are or what their intent is, although there is speculation and telltales of a nation-state sponsor. There's also speculation that a large scale attack is being planned that will render infected devices useless, or what's referred to as "bricking" the device; making it as useless as, well, a brick.
The threat is so extensive that just yesterday the DOJ and FBI announced a court ordered seizure of suspected devices involved in the hack. According to U.S. Attorney Scott W. Brady, "[The] court-ordered seizure will assist in the identification of victim devices and disrupts the ability of these hackers to steal personal and other sensitive information and carry out disruptive cyber attacks."
What should you do?
According to Symantec, reboot the device and then immediately apply any patches needed to bring the device firmware up to date. This sounds ridiculously simple, but, again, the lack of keeping software and firmware up to date is the single most common vulnerability for cyber attacks.
Netgear is also advising users of their devices to turn off any remote management capabilities. Linksys is recommending a factory reset of its devices.
The reality that VPNFilter brings to the surface, and that we all need to head, is that cyberthreats are not going away. Just because you don't hear about a specific threat doesn't mean that you can rest easy. In fact, the greatest danger is that we are becoming numb to periodic headlines such as these.
Those who have been lucky enough not to experience a breach start to think that it's just not going to happen to them. Add to that the misplaced sense of security from having anti-virus software (which may catch 10% of threats) and you end up with complacency. Nothing creates greater risk in today's digital ecosystems.
Two things are certain, that the sophistication and the extent of cyberthreats will only increase, and that the greatest vulnerability still results from a lack of attention and vigilance to the most basic task of keeping your technology up-to-date through updates and patches that are readily available.