On Friday, the FBI issued a formal warning about a cyber attack that has the potential to compromise hundreds of thousands of home and small office routers worldwide.
As an MSP servicing small- and medium-sized businesses, your clients could be affected. This post will cover what MSPs need to know about this cyber attack warning, as well as how you should handle the issue with your clients.
The Potential Threat
A warning was issued by the FBI about a new type of malware, known as VPNFilter, that targets consumer grade routers manufactured by Linksys, Netgear, MicroTik, and TP-Link as well QNAP network-attached storage devices. The malware is very difficult to detect due to the fact that these devices do not generally include native security software and are directly connected to the Internet. As of now, the analysis of the malware is preliminary in nature, and the complete list of impacted devices is not yet known.
To defend against this potential attack, here is what the FBI recommends, taken from their PSA alert issued on Friday, May 25:
“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”
In general, the following steps should be taken for network devices and routers, even if they are not known to be vulnerable to VPNFilter:
- Ensure that the default login credentials for the device have been changed
- Verify that the ability to remotely manage the device is either disabled or restricted to trusted IP addresses
- Update the device to the latest version of firmware available from the manufacturer
The MSP Takeaway
With the exposure of this threat actor, and the fact that law enforcement has seized the infrastructure used to carry out and control this malware, the likelihood of a destructive attack being carried out is low. As an MSP, however, you should personally take (or prompt clients to take) the steps listed above for all network devices, even if they are not explicitly named in the advisories. Unless you mitigate the original vulnerabilities, there will be nothing stopping a different threat actor from launching a similar attack campaign.
If you or your clients have reason to believe a network device has been infected, contact the manufacturer for specific steps to remediate the issue. In general, a reset of the device back to the factory default settings and/or a firmware update will be required to remove the malware, so be sure to not make of any configuration parameters prior to performing the remediation.
I will continue to update this story as it develops.