network security alertsIn the past few weeks, the nerd news has been full of network security alerts and discussions about issues potentially lurking on every network, especially smaller ones.  These are not the things we normally worry about either.  You usually think Windows, Office, Adobe, etc patches are the main alerts to worry about on your network.  These are new alerts that could be in every network you use including home, public wifi, and work.
Per usual, we are here to explain them as best we can – in English.  Tech folks you should listen up to what we expect you to be doing for our listeners who rely on you, too.

HIPAA For MSPs by David Sims Network Security Alerts For Everyone
00:00:00 00:00:00

The latest issue starts when the FBI makes a public service announcement requesting that everyone reboot their routers.  There has never been anything like this before, at least that I can recall.

FBI Public Service Announcement to reboot your routers on May 25.

FOREIGN CYBER ACTORS TARGET

HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE

Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

VPNFilter malware is pretty significant in many ways.  It seems to be tied, yet again, to Russian state attacks.  Specifically, they suspect Fancy Bear who the US believes is backed by Russian intelligence organizations.  They are constantly testing new techniques for attacks.  This one appears to have worked really well.  The list of devices started out with just a few vendors.  It was later expanded to include even more.  That also may change soon.  At this point, they estimate over 500,000 devices.  That number will likely grow.

It isn’t that you just reboot and you are fine, though.  A router reboot is a temporary fix.  There is more you should really evaluate.  Even in the initial alert, they recommended doing more.

Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

It turns out that the reboot just cleared the 2nd and 3rd stages of the malware.  The first stage remained active after the reboot.  It also happened to be the piece of the malware that lets the hackers load software remotely.  Stage 2 allows it do things like file collection, command execution, data exfiltration, device management, and more.  By Stage 3 it is able to understand, capture, and track all of the traffic flowing through the device.

And, just in case you think it doesn’t matter to you, it can brick your router.  No internet connection for you.  Image what would happen in the US if even 100,000 routers were shut down at the same time in one city – maybe Atlanta.

Every new update on this stuff seems that is much worse than they thought on the last update.

Check your router devices and update the firmware on all of them.  In fact, some experts have suggested you “nuke and pave” all your SOHO routers.

This stuff also infects NAS devices.  If you have them, someone needs to check on them too.  Update the firmware because it is a great time to do it even if you don’t need it.  Check the list of impacted devices to see if it is on there with additional mitigation requirements.

Did you miss other network security alerts?

Last year a big one was released about network printer vulnerabilities involving 20 different vendors.  Not random names but HP, Lexmark, Brother, Dell, Samsung, Konica Minolta, etc.  All a hacker needs are to find an IP address of a printer with any of these vulnerabilities and it is just a matter of time before they were able to capture all of the printed information and send a copy to themselves.

What might be on your network that you don’t know about?

Shadow IT is a thing you should understand.  It is what we call it when people who know enough about IT and networks to get in trouble start “helping” you out by updating things, adding things, showing people the way around things, etc.

Examples of how this could get in you trouble including downloading apps, setting up streaming services, adding IoT devices, creating “secret networks” that are just part of your normal network but they have control of it.  When they have done all of their help you don’t know what printers, routers, and other devices (Xbox maybe) actually live on your network every day.

How can you protect yourself if you don’t even know what you have to worry about?  All of the folks who think they don’t need some sort of professional help in keeping up with these things and responding to them should rethink that strategy.  As devices proliferate, so will these kinds of vulnerabilities.  It will soon be unacceptable to ignore security altogether.  National security concerns are not minimal when you realize the capabilities of VPNFilter and realize it likely is planted malware by an arm of the Russian intelligence organizations.