An announcement made by the Australian Cyber Security
Centre (ACSC) warned Australian users to be careful of a malware
called VPNFilter. It is dangerous because it can collect whatever data flows
through the device and even worse, it can disable the devices.
The ACSC is alerting Australian users to be
aware of the VPNFilter malware. It is known to affect networking equipment
including Linksys, MikroTik, Netgear and TP-Link, as well as QNAP
network-attached storage (NAS) devices.
This malware is a malicious actor that can compromise
a device. Once affected, network traffic, including website credentials that
are traversing the device can be collected.
The malware can also be leveraged to collect
data that flows through the device. This could be for straightforward
data-collection purposes, or to assess the potential value of the network that
the device serves. If the network was deemed as having information of potential
interest, there is an option also to continue collecting content that passes
through the device or to propagate into the connected network for data
collection.
More importantly, the malware can also be
used to disable the device. It can be triggered on individual victim machines
or en masse, and has the potential of
cutting off internet access for hundreds of thousands of victims worldwide.
The VPNFilter Malware is known to have
infected 500,000 devices in at least 54 countries. The type of devices targeted
by this is difficult to defend. They are regularly on the perimeter of the
network, without any intrusion protection system (IPS) in place, and typically
do not have an available host-based protection system such as an anti-virus
(AV) package.
The ACSC have released recommendations which Australian
citizens can do to their devices in order to protect them against this
malicious activity.
First would be to update the network devices
to the latest available version of the firmware. It is important to note that updates
are typically not automatic. Users should visit the manufacturers’ website for
specific information on how to apply updates.
Second would be to disable network device
management interfaces, such as Telnet, SSH, Winbox and HTTP/S, on WAN
interfaces. If remote management of the router is required, guarantee that a
complex password is used and a protocol that supports encrypted remote
connections, such as SSH and HTTPS.
Third would be something as simple as remembering
to change default log-in password of the router during the initial setup.
Similarly, a recent report
emphasised an increase in botnet-assisted attacks, amplification DDoS attacks,
and the return of long-lasting, multi-day DDoS attacks. A distributed
denial-of-service (DDoS) attack is an attack in which multiple compromised
computer systems attack a target, such as a server, website, system or other
network resource, causing a denial of service for users of the targeted
resource.
Such attack typically floods the targeted
servers, systems or network to sabotage the victim. As the target system slows
down or even crashes, it stops legitimate users from using the system.