Even if the router is patched, they often
remain vulnerable if the administrator does
not change default passwords.
through the device, or that can
use the device as a platform to
launch attacks against other
networks. VPNFilter is believed
to have been targeting energy
companies in the Ukraine. The software will then try to use as much
of the device’s CPU as possible in order
to mine cryptocoins. The attacker will
usually have no regard whatsoever for
any collateral damage caused to the
user or the device.
Most malware infecting
devices, however, have a
much more benign goal –
mining cryptocurrencies.
Cryptocurrencies are currently by
far the most common method that
criminals use to monetise attacks
from the devices they are taking
over. No device is too small.
Monero, for example, one of the
primary cryptocurrencies being
targeted by criminals these days,
can be mined very efficiently on
smaller devices and PCs. Affected firewalls often become
unresponsive and in some cases may
overheat and break permanently. In
fact, in multiple experiments run by the
SANS ISC, it only took a few minutes
for a vulnerable device to be attacked
and taken over once it was connected
to the Internet. These attacks affect any
Internet-connected device.
A typical attack will first scan the
device for common vulnerabilities
or well-known default passwords.
If the attack is able to access the
device, then it will often remove
competing malicious code and
install its own ‘miner’ software.
The speed at which vulnerable devices
are infected shows how important it is
to protect yourself from these attacks.
As even home users are affected,
it is important to implement some
simple and effective guidelines. First
of all, always change the password
that comes with your device. Default
passwords are the most common attack
vector. Unfortunately, in some cases
it may not be possible to change the
password. This is particularly true
for passwords that are installed by
manufacturers as a backup or support
account. The user often doesn’t know
about these accounts or is unable to
change the passwords.
For this reason, all remote access
methods should be disabled or severely
restricted. Manufacturers will also often
release updates if a new vulnerability
becomes known. It can be tricky to
apply these updates to some devices,
but it is important that you do so, since
at SANS, we have seen in the D-Link
case how a new vulnerability is being
exploited within a couple of days. u
The graph shows the rise of scans for port 80,
8000 and 8080 from Saudi Arabia and some
of its neighbours over a period of 12 days
86
Issue 03
|
www.intelligentciso.com