8 June 2018

VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

A router that is facing the Internet is one of the most important devices in your network. If it gets compromised, the attackers are able to intercept all network traffic, reroute it, launch attacks on resources inside your network infrastructure and eventually compromise servers and workstations inside your network.

VPNFilter is a trending malware that leverages weak security configuration of the router. It is associated with activity of famous APT group APT28 or Fancy Bear. There are great write-ups on this topic from Cisco Talos, Fortinet and other companies. So, if you want to know how VPNFilter works, just read them.

Apart from VPNFilter there has been an overall interest increas to vulnerabilities in routers among APT groups and hackers. Since 2017 there has been 6 zero-days in network devices of the following vendors:

DrayTek

https://www.zero-day.cz/database/499/ - Used to change DNS settings of the affected routers against users in the UK.

MikroTik

https://www.zero-day.cz/database/493/ - used in a targeted attack in Czech republic.

https://www.zero-day.cz/database/488/ - used in Slingshot APT campaign

Huawei

https://www.zero-day.cz/database/480/ - used by Mirai and Satori botnets

NetSarang

https://www.zero-day.cz/database/469/ - shipped with a backdoor. The vendor was compromised.

QNAP

https://www.zero-day.cz/database/455/ - used to mine cryptocurrency.

How to protect yourself

In the meantime, we would like to provide basic recommendations on how to protect your router from similar attacks.

  1. All default credentials on the routers should be changed.

  2. The latest available firmware should be installed. If your router is no longer supported by the vendor, replace it.

  3. All management router interfaces should not be accessible from the Internet. Run an external scan to see which ports are open. You can do this for free via our trial package. Just register, run the scan and see the results. Your router can be considered secure if the report returns empty or without any router management port in it (in case you host services behind the router, only these services should be accessible).

  4. Use firewall to deny access to all open management ports and re-run the scan to confirm that the ports are not accessible from outside.

Back to the list

Latest Posts

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

This marks the first time when all of them have been used in a single campaign together.
24 May 2019
Researchers shed some light on commands used by Zebrocy toolkit

Researchers shed some light on commands used by Zebrocy toolkit

Malware operators run commands manually to collect a vast amount of data from infected systems.
23 May 2019
Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

The attacks have been linked to a cyber espionage group APT28.
22 May 2019
Featured vulnerabilities
Privilege escalation in libvirt
Low Patched | 24 May, 2019
Multiple vulnerabilities in OpenEMR
Medium Patched | 23 May, 2019
CSRF in WP Open Graph plugin for WordPress
Medium Patched | 23 May, 2019
Multiple vulnerabilities in cURL
High Patched | 23 May, 2019