Bottom Line Up Front:

• VPNFilter malware has infected over 500,000 consumer-grade routers and network-attached storage devices with malware that can intercept your internet traffic, steal passwords, pass other malware onto your network, and connect your devices to massive botnets.
• Any business using a consumer-grade router should upgrade to a commercial-grade device.
• Consumer-grade routers used in homes should be reset and updated to the latest firmware or replaced if more than a few years old.

VPNFilter Malware Infection Bad and Growing

In late May, the FBI issued an unusual Public Service Announcement about a widespread malware attack called VPNFilter that “is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router.” They recommended “any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices.”

The detailed analysis published at the time by security researchers described VPNFilter as “an advanced, likely state-sponsored or state-affiliated actor’s widespread use of a sophisticated modular malware system.” They estimated over 500,000 devices in 54 countries had already been infected. Devices from Linksys, MikroTik, NETGEAR and TP-Link were affected. The suspected perpetrator of this attack is suspected to be the Russian-government sponsored hacking group “Fancy Bear,” the same group responsible for the 2016 election DNC and Clinton Campaign hacks.

Since that initial report, researchers see the malware affecting devices from many more manufacturers. The latest list includes devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE along with new devices from Linksys, MikroTik, Netgear, and TP-Link. (Find the full list of devices here. Scroll down to the “Known Affected Devices” section toward the bottom of the post.)

At the same time reports on VPNFilter were published, the FBI seized control of a key internet domain used to coordinate and spread the botnet attack. However, threat researchers are saying this attack is far from over.

What’s the Big Deal?

VPNFilter is particularly nasty because of the variety of threat capabilities. This malware can:

• Link infected devices together into a botnet for large-scale attacks on critical systems.
• Spy on users by collecting network and internet traffic running through the device, looking in particular for usernames and passwords.
• Push other malware onto network endpoints (e.g. PCs, smartphones, printers) through man-in-the-middle attacks on internet traffic. In other words, VPNFilter can help other malware get onto computers on the network.
• Destroy the infected routers individually or en masse, potentially “cutting off internet access for hundreds of thousands of victims worldwide.” [Source]

Consumer vs. Commercial-Grade Routers

Small office and home office routers, also known as consumer-grade routers, are the devices typically provided by internet service providers or purchased by average consumers and many small-business owners. Consumer-grade devices prioritize ease of use, offer additional features such as integrated wifi and parental controls, are often inexpensive, and offer only rudimentary security.

Contrast these with commercial-grade routers, also known as business-class. These devices prioritize security and threat protection (often including built-in commercial-grade firewalls), have more reliable components, are better-suited to the demands of a multi-device business network, and have much better patching and support from their manufacturers. Entry-level small business routers are more expensive than “high-end” consumer-grade devices and generally require professional setup and configuration.

When conducting a HIPAA Security Risk Analysis, we regularly find that most of our smaller clients (and even some larger ones) use consumer-grade routers. We always recommend upgrading to a commercial-grade model, and this VPNFilter malware is a perfect example of why.

In our view, the protection provided by a commercial-grade router is absolutely worth the increased cost for any medical practice or organization handling health data. Whether you are using cloud-based systems or have a server on site, any medical practice or healthcare organization should have a commercial-grade router.

Do This Right Now

1. If your business has a consumer-grade router, get rid of it and upgrade to a commercial-grade device.
2. If you already use commercial-grade routers and other network gear, check that they are patched to the latest updates.
3. For your home router: reset it to factory defaults, reboot, then ensure the device is updated with the latest patches. Check with your ISP or device manufacturer for support.
4. If you regularly access PHI from home (ex: catching up on charting from your kitchen table), consider whether a business-class router makes sense there as well.

(Image Credit: Cisco Talos Intelligence Blog)