Medical practices and other healthcare organizations who use consumer-grade networking equipment made by Linksys should take immediate steps to mitigate attacks that are spreading after researchers at the SANS Institute reported the outbreak of a self-replicating worm on Thursday.
According to, Johannes B. Ullrich, chief technology officer at SANS, an ISP in Wyoming alerted SANS to the unusual network activity, which led to the discovery of the worm. Named “The Moon” because of a number of lunar references made in code strings that could be part of a command and control channel, SANS indicated that, at the time of the report, the worm appeared to be doing little more than scanning for other vulnerable routers and seeding itself.
Indicators that your router has been compromised include heavy outbound scanning on port 80 and 8080 and inbound connection attempts to miscellaneous ports lower than 1024. To read more about worm and review the SANS Institute’s list of routers that could be vulnerable, click here.
A thorough and professional computer security risk analysis would identify the security risks that result from using consumer grade equipment in your medical practice or healthcare organization.
If your medical practice or business is at risk, Eagle recommends the following short term and long term steps:
1) Short term – Until Linksys-Belkin releases a patch or new firmware, mitigate the risk by disabling remote administration (instructions here), and/or restricting access to the remote administrator interface to specific IP addresses (and change the port number of the administration interface to make it more difficult to find.)
2) Longer term – Consider upgrading to commercial-grade equipment to avoid the risks associated with consumer-grade equipment. This is not to say that commercial-grade equipment is not vulnerable to exploits as well, but the attention to security and reliability overall is higher.
UPDATE FROM BELKIN [2/22/14]: ““Linksys is aware of the malware called ‘The Moon’ that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled it can prevent further vulnerability to their network, by disabling it and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.”
