The Cisco security research team has unearthed a hacking attack that targets more than 500,000 consumer Wi-Fi routers. These infected routers can be used to create a massive botnet army and launch a heavyweight cyberattack.
As per the findings, this attack seems to be a work of some state-sponsored actor. The malware used to infect the devices, in this case, has been termed VPNFilter. As the malware shares lots of code with the BlackEnergy malware used to deploy large-scale attacks on Ukraine, it could be tied to the Russian government.
It’s worth noting that the Cisco report didn’t directly mention Russia but the code overlap surely hints the same. In a related development, the FBI has seized an important server used in the attack. As per the agents, the server, ToKnowAll.com, was being used by Russian hackers to spread a second stage malware attack.
Coming back to currently infected routers, the devices belong to major companies, including TP-Link, NETGEAR, Linksys, and MikroTik.
The VPNFilter malware responsible for the attack is particularly concerning as it contains code to steal website credentials and make the infected router unusable. Moreover, it has “the potential of cutting off internet access for hundreds of thousands of victims worldwide.”
This multistage, modular platform malware persists through a reboot in its initial stage. In the second stage, it uses different command and control mechanisms to find the IP address stage 2 deployment server and proceeds with the intelligence-collection process; it also has a self-destruct capability. The stage 3 modules further acts as plugins for stage 2 malware.
The most probable cause for spreading the malware could be the lack of proper authentication and use of default credentials on the routers. While Cisco refrains itself from confirming the particular exploit, lack of basic security measures on home and office routers seem to be the reason.