What Your Financial Institution Needs to Know About VPNFilter Malware

On May 23^rd, the United States Computer Emergency Readiness Team (US-CERT) issued an alert about malware that has been discovered on over 500,000 Internet routers used in homes and small offices. The malware, named VPNFilter, is notable because the initial part of the malware is designed to be persistent and able to survive a reboot (and in some cases a factory reset) of the router.

The ultimate purpose of the malware is not known, but some aspects of VPNFilter should be of concern to financial institutions, as they can impact customers and remote employees. This week, the Friday 5 looks at five things financial institutions should know and do about the VPNFilter malware.

1. VPNFilter captures traffic: The VPNFilter malware has the ability to capture traffic going across the router. This includes traffic by customers using home banking sites, and traffic of remote employees using company VPNs, email systems, Intranet sites, etc. VPNFilter has only been observed stealing credentials from unencrypted websites so far, but the architecture of the malware allows the attackers to easily expand this capability to capture encrypted traffic. If Internet sites of the institution are properly encrypted, there is little risk of disclosure because this encryption is extremely difficult or impossible to decrypt. Institutions should always ensure that Internet-facing sites use the highest encryption levels possible.

2. Attackers can destroy routers: The VPNFilter malware can be remotely instructed by the attacker to destroy the router. One scenario of concern is that the attackers utilize this capability to destroy all infected devices at once, essentially leaving over 500,000 homes and offices without access to the Internet. This scenario could impact access by customers and remote employees of financial institutions. 

3. The FBI is involved: VPNFilter is made up of three phases of downloaded malware, with the first phase being an installer that reaches out to attacker websites to download the more harmful malware in later phases. Only the first phase malware survives a reboot. The FBI has taken over the domain currently used to download the second phase of software and has asked users to reboot their routers. This will remove the harmful parts of the malware and will help the FBI identify which routers have been infected so that they can work with ISPs to alert the users. Bedel Security recommends that financial institutions communicate this to their employees.

4. The full scope may not be known: While the malware has been found on only devices from certain vendors so far, it is not certain that these are the only impacted devices. The FBI has asked that home and small office users reboot ALL routers.

5. Going beyond a reboot: The VPNFilter malware is believed to have spread using known vulnerabilities and default credentials on the infected devices. Bedel Security recommends that owners of home or small office routers go to the manufacturer website and follow their instructions to do the following:

• Reset the router to factory defaults and reconfigure it from scratch.
• Change the default admin password of the router to something complex.
• Disable the ability to administer the router from the Internet.
• Upgrade the router to the latest firmware.

Bedel Security regularly analyzes new threats, focusing specifically on how they impact financial institutions.  To learn more about the services offered by Bedel Security email us at support@bedelsecurity.com!