A CLOSER LOOK AT THE DANGERS OF AN UNMANAGED ROUTER
FBI On The Case…
Your router may have been compromised. Seems like no one thinks much of their router. Due to a recent news story about your router getting hacked, things maybe changing.
As a result of recent hacks by foreign actors, the FBI shut down a powerful botnet. Also, I was happy to see the FBI put out a bulletin warning the public to reboot their router in order to protect themselves from the VPN Filter Bot Net. Yay!
The FBI had been on the trail of the bad guys since at least August and armed with a court order from Federal Judge Lisa Lenihan, seized control of the domain name (ToKnowAll-dot-com) which was the command and control domain of the VPN Filter Bot Net that secretly takes control of your router.
Now with control of the domain, the FBI could block infected routers from reinstalling the malware upon reboot back onto your router. With the domain in their control, the FBI could now inventory the affected routers, and break the persistence.
VPN FILTER BOTNET
What is so alarming is that the ‘VPN Filter Bot Net’ was the basis for a number of ‘plugins’ that the attackers could drop in other types of functions at will. Also, it reinfects your router if you reboot. It captures, and can alter all data going through your router. Especially in an attempt to steal your banking info and your money. Or, say – influence election campaigns, intercept emails from anyone, even politicians at home while logging into their secure work accounts.
I cannot stress enough how important this is and that it’s is ‘proof positive’ the FBI team and it’s contractors are fighting the good fight. Without them, how can we calculate how much damage could have been done? How many peoples lives would have been affected? I’m sure they had to consider the ramifications of causing a public panic versus putting out the alert. They choose the alert.
I thought that was a good move on their part – raising IT Security Awareness! Good Job FBI! Let’s all do our part. Now here’s my contribution….
Most noteworthy a ‘Reboot’ will not be enough to get the job done sufficiently. First off, there is no way the FBI can protect each and every person’s router. They need our help. I just don’t believe they have the resources, money, personnel, and mandate to get this done.
MALWARE ROUTER ATTACK MAP
There are too many bad actors with malevolent intent. Look at an attack map of what’s attacked and where. Can you see that the United States received the bulk of attacks worldwide? Those blue dots and circles in the photo here are attack points. You can see a more current map by looking HERE.
Quite simply, we’re out-gunned. I hope through my blog I can get others to take an interest in IT Security as a career. It’s fun, never boring, always challenging.
You need the knowledge, skills, ability and some experience to get a job. Yet, you will be very rewarded with a good job I can assure you. There is a long list of yet unsolved ZERO-DAY threats that we need people to help fix. Don’t believe me? Check out just one of the most prominent ZERO-DAY lists at TALOS Vulnerability reports HERE.
Back to the routers.
THREAT: VPN Filter Botnet
PARTICIPANTS: 500,000+ routers PLUS Network Access Storage (NAS) Devices
SOURCE: TALOS Security Group
SUSPICIOUS ROUTER ACTIVITY
Almost immediately I noticed suspicious activity with my router. Which like many people, I got happily from Comcast. Comcast’s rent my router to me. I asked the technician if there was a way that I could change the default username ‘admin’ and password on Comcast’s Modem – Router. He asked me “….why would I want to do that?”
I told him that because I work in the IT industry, and I’m aware that there are explicit dangers of leaving any part of a ‘single factor’ security policy as-is simply is not smart. He admitted I was right, and the home user does have the power to set the password upon setup, and that the user can also reset their router at any time. He was right. But, I felt a sense of false security. I had questions which remain unanswered at that time.
QUESTIONS ABOUT ROUTER SECURITY
Most notably I had questions such as:
- Who updates the router to the latest firmware?
- What version of my firmware is on my router I’m leased from you guys?
- Is there a newer update available?
- When was it installed?
- How can I verify it was been installed?
Most noteworthy, he admitted that they are responsible for baseline initial security and network setup. He said the questions I was asking were more like an Advanced Security Expert’s Qualifications, which Comcast has, he told me (at an additional cost I’m sure).
Not wanting to press the issue on this. Because, I am one of those advanced security guys he’s talking about. I had previously addressed this matter. I let my guard down when I moved recently and was under pressure to take care of a thousand things bombarded on me at once. Renting a router and having someone come out to set it up just seemed convenient and I knew I could fix any problems later when time allowed.
One of my routers, the Cisco DPC3941T Router, was clearly vulnerable to the VPN Filter Bot Net. If you’ve got one of these, then take notice. Understandably, a lot of people are concerned as I see it from COMCAST’s Forum at https://forums.xfinity.com/t5/Anti-Virus-Software-Internet-Security/This-is-the-VPN-filter-malware-threat-quot-MEGA-THREAD-quot/td-p/3097348
Consequently, write down all the information on your router, manufacturer, model #, different brand names, etc. Furthermore, research each one to see if there’s a hit, for any vulnerability. Don’t rely on anyone’s comprehensive list of routers as safe or vulnerable. They might have missed something. I see they have missed a lot of vulnerable routers in various news reports. Do your OWN VULNERABILITY SEARCH!
MANAGE IT OR ELSE
My long term plan and recommendation is to manage your own router. I am replacing my router with the Netgear CM500V. In addition, I’m fingerprinting the latest patched firmware directly from the manufacturer via my personal HotSpot (usually left in off status). Next I’m flashing the firmware to the CM500V. Of course, this plan will involve a trip to Comcast to personally hand in their model (DPC3941T). Furthermore, I have to get a turn-in receipt and then get them to provision my new modem. Also, I’m denying access to (PhotoBucket-dot-com) in my router.
Note: You’ll need the modem’s model #, serial #, and MAC address when you visit Comcast if you’re planning on following suit. I’m a I.T. Security specialist and I recommend buying the Netgear CM500V from Amazon here:
SECURE YOUR ROUTER
Flash it with the latest software. Be cautious about DHCP, and set your DNS settings to something you know like Google or your ISP. Own your own device. As a result, you can change the user name, and have access to the advanced features that you might otherwise not have access to.
First of all change your passwords to your router (while offline) and then reconnect. Manage you router! Or hire someone to manage it! Consequently, you run the risk of having your router used as an attack device to other devices. Worse yet, the law enforcement just might come knocking at your door and seize your router, SERIOUSLY.
VPN FILTER BOT NET VULNERABILITY NEWS
If you want to know more about this, I recommend reading Ken Poulsen’s article on the Daily Beast
Also, you could check out the Washington Post’s story on this or BleepingComputer’s article on this. They all have very well written articles on this for you to start or continue your research. I won’t bother copying or rehashing what they’ve already done a great job on. Go check them out. Most of all either start or better managing your own router. Or hire somebody qualified to do it for you.
Due to recent increased hacking activity by foreign actors, as a result I promise to write more about this, maybe a step-by-step guide to fix this if you have a Comcast Router. Seems like the FBI has raised our security awareness as a result of their bulletin. Either we pay more attention to our internet security or suffer the consequences.
In conclusion, don’t ignore your router. Because most people forget about it, it is most vulnerable to attack. Most of all change your passwords regularly. Check your firmware regularly and patch with the most recent firmware from the manufacturer. Finally, if you can’t do it yourself – find someone who can. Because all of your private information is going through your router. You probably need to get this fixed. Rather than wait, act now if your router wasn’t patched with the latest firmware.