A recent attack from Russian hackers has been reported by US and UK cyber security experts. The report indicates that an army of scripts and bots were deployed to find vulnerabilities in small business retail routers. Routers are installed in almost any home as a connection to an ISP or for public Wi-Fi at retail, restaurants or Internet cafes. These routers provide basic security, but individuals and small businesses rarely take precautions to upgrade firmware especially patches for vulnerabilities.
The US Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the UK's National Cyber Security Centre (NCSC) together reported incidents where they saw an increase in Russian related attacks on older routers including firewalls and switches of major ISPs mainly located in the US.
Vulnerabilities in Older Firmware and Unchanged Router Passwords
These kinds of automated attacks target two vulnerabilities - router firmware that hasn't been updated and routers that still use default passwords used by manufacturers. Both are common in small businesses and individual residences where cybersecurity is weak. Users often leave the default password on the router console unknowingly giving anyone with a list of manufacturer passwords access.
Operating systems and software are easily updated, but routers are often forgotten, even in the enterprise. Router manufacturers publish patches on their site, but it's rare for these types of users to download and install it. They either don't know the update exists, or they don't know how to update router firmware since it takes more networking knowledge.
On April 19, the United States Emergency Computer Readiness Team (US-CERT) issued Alert (TA18-106A) concerning Russian State-Sponsored Cyber Actors scanning millions of routers for vulnerabilities in both the US and UK. An industry partner discovered the malicious activity and reported it to NCCIC and the FBI. These scans give the attackers the make and model of discovered routers, allowing them to document an inventory of vulnerable devices that can be then be employed at their will. Targeted devices included:
- Generic Routing Encapsulation (GRE) Enabled Devices
- Cisco Smart Install (SMI) Enabled Devices
- Simple Network Management Protocol (SNMP) Enabled Network Devices
While some targets include firewalls and switches of internet service providers, critical infrastructure, and major corporations, the majority include consumer based routers. Consumer-based IoT devices are also involved. According to National Security Council Cybersecurity Coordinator, Rob Joyce, there is high confidence that Russia has carried out a coordinated campaign to gain access to an enterprise, small office/home office routers known as SOHO and residential routers worldwide.
Hacked Routers Used for Man-in-the-Middle Attacks
Once the router is hacked, hackers use them for MitM attacks that support corporate espionage. They gain access to credentials or intercept data such as intellectual property as unaware users continue to use the compromised device. MitM attacks can be difficult for the end user to detect because there is no virus or malware interrupting activity. Data flows naturally as the attacker silently steals data.
Experts report that millions of devices have already been hacked, and it could lead to future attacks leveraging compromised devices. ISPs and any business with routers purchased at retail should update router firmware and ensure that default passwords are changed.
Russia state-sponsored attacks have increased through the years. Vulnerabilities found by these attackers have been used to affect elections, bring down power grids, and stop productivity for businesses across the globe. In previous years, they mainly targeted Ukraine, but this recent attack focuses on US-based businesses and ISPs.
This is not the first time that Russian operatives have targeted SOHO and residential devices. The Department of Homeland Security has witnessed Russian activity with scans for vulnerabilities on routers over the past two years. Like many hackers, these Russian sponsored perpetrators are taking advantage of outdated devices and weak security configurations. Often times, routers and similar devices are not maintained or managed with the same vigilance and dedication to security as servers and computers. A large percentage of these routers and devices continue to utilize their default admin passwords. Many are no longer supported by security or firmware patches.
The technical alert advises all router owners to change all default credentials and use different passwords across multiple devices. Simple passwords such as “12345678” should not be used as these attackers are using brute force attacks to spam different username and password combinations until the device is accessed. The DHS also recommends people "retire and replace legacy devices" that cannot be updated.
DDoS attacks against government sites
The technical alert is directed at manufacturers as well, encouraging them to start designing these types of devices with security in mind from the ground up. This would mean no longer supporting outdated and unencrypted protocols. Other measures would include forced password changes when the router is first booted up in the same fashion that many enterprise-level computers do. As for the multitude of IoT devices in so many homes today, these devices are often void of any type of security in order to make the devices cheap and affordable. This is the first time that government officials are reaching out to both the public and manufacturers to offer advice concerning how to improve the security of their involved devices.
Government officials believe that this highly scaled scanning effort is part of Putin’s grand plan to disrupt the west. The question is to what end? Routers operated by ISPs can be used for espionage to steal intellectual property or seize information from ISP customers that can be used at an appropriate time. Compromised home routers and IoT devices can be utilized to coordinate massive DDoS attacks against government sites and internet infrastructure. The beauty of these devices is that the Russians could plead deniability for such an attack.
"Once you own the router, you own the traffic," says a top DHS cybersecurity official. State-sponsored cyber attacks are a national security concern for both the US and UK as hackers look to use vulnerabilities to affect elections, power grids, and business commerce. The US has combatted such attacks from Russia, Iran, and North Korea. By publicizing this recent alert, both countries are sending a purposeful message Putin and his government that these types of malicious endeavors are unacceptable and will not be tolerated. Said one UK official, "The attribution of this malicious activity sends a clear message to Russia -- we know what you are doing and you will not succeed."
The Russians, of course, have responded to these accusations. In an emailed comment from the Russian Embassy in London, a Russian spokesperson stated that the accusations and speculations were reckless, provocative and unfounded. The statement also asked for the two western nations to offer proof to back up the outlandish claims.
For many years, it has been said that those forces that could control the oceans through their navy or dominate the skies with their air presence could control warfare. In the future, those who control the world’s global internet infrastructure will have a significant advantage as well.
Hacked Devices Can Be Used in Future Attacks
Corporate espionage isn't the only consequence of these attacks. Attackers could leave backdoor code that stays dormant until the attacker later issues a command to attack businesses. These DDoS attacks were behind some of the biggest cyberattacks on the Internet that brings down large businesses including critical Internet protocols such as DNS.
Case Study
As a web filtering service provider Family-Guard are growing at a staggering rate, adding customers to their service daily. WebTitan for Wi-Fi allows Family-Guard to offer web content controls to their customers easily. Deployed as a cloud-based service, it is a DNS based solution requiring a simple DNS redirect to the WebTitan servers. See full web filtering service provider case study here.
Strong Layer of Protection for Routers and Wi-Fi Set-Up
The internet is critical to the majority of people these days. Unfortunately, malicious websites, spyware, and viruses present real threats to the internet user, these just can’t be ignored. If you offer public Wi-Fi or own a Wi-Fi router for public Internet connectivity, you can reduce the risk of a compromise and control web browsing using WebTitan Cloud for Wi-Fi.
WebTitan Cloud for Wi-Fi adds a strong layer of protection to your customers' router and Wi-Fi set up. WebTItan fits perfectly in a place where nothing else really does. For MSPs that sell routers if they use WebTitan Wi-Fi you can ensure safe and filtered Wi-Fi access to their customers. It's imperative that public Wi-Fi always has strict cybersecurity rules, and any router firmware should be regularly updated.