Some Advice on Malware Concerning Your Router

Cybercriminals and hackers, like most people, have a tendency to gravitate towards high-reward activities. In this instance, that means that focus is turning to developing malware that attacks the router, potentially infecting the users that leverage it to connect wirelessly to the Internet. Researchers at Kaspersky Lab discovered an example of such a malware; let's examine this threat and how to best protect your network.

Slingshot
This menace targets MikroTik routers and uses a multi-layer attack to spy on the PCs connected to the router. By replacing a library file with a malicious alternative that eventually downloads other pieces of the malware, Slingshot is able to bypass security solutions unharmed. It then initiates a two-pronged attack, one leveraging low-level kernel code to give a hacker carte blanche access to a system, the second managing the file system and preserving the malware.

Not only does this assualt access further code from an encrypted virtual file system, it does so without crashing its host. The quality and complexity of this attack led the security experts at Kaspersky Lab to deduce that it was state-sponsored. Based on reports, this malware can collect nearly any data that it wants to from its target, ranging from keystrokes to passwords to screenshots to network traffic.

According to MicroTik, their routing firmware has received a patch for this area of vulnerability, but it is still not known if routers from other manufacturers are impacted. If they are, Slingshot could become much more dangerous than it already is.

Other Types of Router Malware
Naturally, Slingshot isn’t the only problem that haunts router security. The fail-safes and security measures baked into routers have been historically unreliable. This can mostly be blamed on manufacturers building numerous products without a comprehensive strategy concerning their security. Nonetheless, this doesn’t mean that the user is off the hook; it's up to them to actually update the router’s firmware. Also, the updating process is usually challenging and time-consuming.

Cybercriminals will often change the DNS server setting on a router in order to attack a network. Instead of directing you to the secure website you are trying to access, the altered DNS will send you to a phishing site. Since these sites are often convincingly created to trick their targets, you may not realize you are being victimized until it's too late.

Hackers will also often utilize methods like bombarding their targets with ads or infiltrating them via drive-by download. Some attacks leverage cross-site request forgery, where a hacker will construct a rogue piece of JavaScript that will attempt to load a router’s web-admin page to change the router’s settings.

How to Reduce Damage to You
If you suspect at all that you are the target of a router-based attack, your first step is to confirm that something is wrong. While there are numerous ways to accomplish this, the most effective is to check if your DNS server has been altered. To check, you’ll need to access your router’s web-based setup page, and then the Internet connection screen. If your DNS setting is ‘automatic,’ you should be good. If it says “manual,” with custom DNS servers entered, you may have an issue.

To limit damage in the case of compromise, you’ll need to ensure that your router matches the specifications set by the manufacturer. To accomplish this, follow the steps below:

• Promptly install firmware updates: Making sure your router’s firmware is up-to-date will help you keep it secure.
• Deactivate remote access: By disabling the ability for your router to be accessed remotely, you prevent the chance of someone changing the settings without your authorization.
• Deactivate UPnP: While there is certainly some convenience to be had with the assistance of plug and play capabilities, UPnP could lead to your router getting hacked because it is predisposed to trust any requests it receives.
• Alter your access credentials: A simple way to upgrade your security is to change your access credentials away from the router defaults.

If you want to learn more about your cybersecurity, the professionals at Macro Systems are there here to help you keep your network and infrastructure safe. Call us at 703-359-9211.