- Posted June 25, 2018
- ByThomas Clancy Jr.
On May 25th, the FBI released an alert and asking everyone in the nation to reboot their routers. This was their recommended cure for a nasty hack called VPNFilter that affected small-business/home-grade routers. This is bad news. But what’s worse is that rebooting the router didn’t actually FIX the problem. If your router was affected, you’d need to wipe the device back to factory settings and reconfigure your network by hand. That’s REALLY bad news. Anyone that read the alert, or the NY Times article, or followed the tweet and blasted their IT team followed the instructions and thought they were safe… but in fact were not safe at all.
So, what’s the good news?
If you’re a Valiant client, you’re not affected. That’s the good news. The manufacturers and models that were caught in the web of this hack were from Linksys, MikroTik, Netgear, QNAP and TP-Link. These are consumer-grade brands, and not up to our standards. These devices are of a class that Valiant never deploys at customer sites, and we don’t allow in your networks. Valiant proudly uses Sonicwall and/or Cisco Meraki as network core gear. Industry leading security, top quality support, in-depth defense against the dark arts. You can read these manufacturer’s statements on their resistance to VPNFilter by clicking the links above.
Events like this VPNFilter attack are why we are such sticklers about buying what at first seem like more expensive solutions. Yes, they are more expensive than home gear. For sure! The more expensive solution works, keeps you safe, has great support, and is more resistant to bad guys than the cheap box your cousin bought at Best Buy.
If you want to get safe, stay safe, and know that someone is watching your back, stay on the path to The Valiant Way and get the right gear for the job.
How did the attack work?
The way the attack worked was pretty clever. The attack would make a device “eavesdrop” on all traffic passing through it, specifically focused on tasty morsels like usernames/passwords. Even more focused, if the router detected traffic from systems using “SCADA” (which is typically something used in chemical, nuclear and heavy manufacturing), then additional attacks would come in and work to kill the big equipment used onsite. Clearly, someone out there wanted to do damage to very expensive facilities! Of course, why would a big expensive facility have a tiny cheapo router on the network?
What did the FBI do?
Because the affected routers would occasionally check in with a particular website (https://toknowall.com) to get instructions and do bad things, the FBI counter-attacked and tore out the heart of the beast. The FBI seized and took over that particular website, effectively cutting the attack off at the source. Now when the affected devices check in, they don’t know what to do, so they do nothing, and basically just behave normally.
Why did the FBI tell us to reboot when rebooting doesn’t fix it?
Simply put: to measure the impact. Since every time an affected device rebooted, that device attempted to “phone home” to the hacker central site (and now the FBI is sitting on that site), the FBI gets a sense of just how many devices were subjected to this hack. It turns out there were over 500,000 devices in 54 countries! And again, remember, without this central site in play, affected devices are essentially “safe” if a bit corrupted.
So, who did this?
The attack is sophisticated, well-written, targets heavy industry, and most infections were in the Ukraine. Who has been hassling the Ukraine the past few years? Who has a vested interest in keeping that country and the Crimea unstable in general? You got it. Rootin Tootin Vladimir Putin. I’m not saying he did it. I’m not saying he had it done. I’m saying what the big boys are saying. It makes SENSE that it was them, but we can’t prove it, yet.