The Anti-virus Times

Tuesday, May 18, 2021

"Update your software in a timely manner" is one of the most common recommendations that you can find in our issues. The operating systems, applications, and software of a variety of devices—from smartphones to network equipment—all these things require attention and regular control. In this issue, we will sort through why your security depends on keeping your software up to date.

Why should I install updates, new firmware and patches? For example, Windows is continuously being updated, and no visible changes are occurring in the operation system. I disabled automatic updating—everything works perfectly; only the constant notifications are annoying, but I can easily disable them, too. And, what about the router? It also works perfectly "out of the box". In addition, installing new firmware is not easy. "Perhaps I won’t bother," many users conclude.

Unfortunately, a significant number of users still espouse such an approach, especially when they need to be involved in the software updating process: for example, when installing new firmware on a home router. Another example—updates for smartphones and other mobile device software. The fear that a new OS version will turn an originally nimble machine into a "useless brick" is still very common. Ordinary users usually do not associate security with software updating. And that’s their loss because infrequent updating does not eliminate program errors and vulnerabilities.

That situation is a real gift for cybercriminals. Computer systems are attacked because software vulnerabilities can be found and exploited. A significant part of a malware program also exploits software flaws—for example, to cause an initial infection, affix itself in a system, obtain the necessary privileges, etc. Most often, taking advantage of vulnerabilities allows hackers to execute "arbitrary code". And don't let the word "arbitrary" confuse you; in this case, it means "any"—i.e., whatever code that attackers need. Thus, elevated privileges, together with the ability to execute arbitrary code, give a cybercriminal almost free rein. Unfortunately, blissful ignorance or leaving things to chance has led to the fact that users are massively susceptible to such attacks.

Here is one very telling example. Do you remember the much-talked-about WannaCry and its various derivatives? For a primary infection, this worm would take advantage of the SMB v1 vulnerability known as CVE-2017-0144. The error in the protocol was eliminated in 2017, in the corresponding update for Windows. So, three and a half years later, our virus researchers are still detecting incidents of computers getting infected via this unclosed vulnerability. Does this mean that the developers did not eliminate the problem? No, this means that users go for years without updating their software and without installing critical security updates (hotfixes).

Users can easily monitor the relevance of popular operating systems and applications—all it takes is enabling the automatic installation of updates. This single action will make a tangible contribution to the overall security of your system. But, unfortunately, it’s not just personal computers and smartphones that need to be controlled.

The real stumbling block for automatic updating is network equipment and, in particular, home routers. In previous issues, we already told you about the consequences of routers being attacked successfully. You need to understand that these devices are a very tempting morsel for hackers. The reason for their popularity is as follows:

1. In a typical home network, a router is the DNS server, and all the Internet traffic goes through it. In addition, it contains a cache to optimise queries. After hacking a router, cybercriminals can listen in on the traffic, including encrypted HTTPS traffic using MITM ("Man in the middle". In this case, the "middle" is the router). After gaining control over DNS, attackers can do whatever they want. One option is to redirect the user to a fake webpage. After entering their login and password, the victim will be redirected to a legitimate bank site and will not suspect the substitution, and the hacker will get the credentials.
2. A router is a home local network’s central link to which, in turn, other devices are connected—the smart and the not very smart: smartphones, TVs, home appliances, all sorts of gadgets and, of course, computers. Each of these devices is also potentially vulnerable. But, to "get" to them, an attacker first needs to gain access to your router. A smart device in your network can be accessed from the outside to carry out an attack if a port "redirection" is configured on it (by you or the device itself with the help of UPnP), but that’s a topic for another day.
3. A router is a great target for botnet operators. Unlike a PC, a network device typically works 24 hours a day, and its computing power is sufficient to be a botnet cell. At the same time, it's very difficult to combat bots because requests can go from hundreds of thousands of addresses. You can read more about botnets in this Anti-virus Times issue.

Why are routers vulnerable? Let's start with the fact that the control firmware of a device, like any other program, can contain errors. Both information security specialists and criminal groups are engaged in the search for such errors. For obvious reasons, popular models are at risk because exploiting one vulnerability will allow cybercriminals to infect a large number of devices. For this, they use so-called “reverse engineering”. Cybercriminals took a popular router, dropped the chip, removed the firmware dump or just downloaded it from the manufacturer's website, then disassembled and analysed the code, found a loophole in it, figured out how to use it—and, a vulnerability is ready. Next, this information is distributed, and your device with outdated firmware is on equal terms with others—it is an excellent target for a passing hacker.

Of course, hackers are looking not only for vulnerable routers with outdated firmware. They scan networks to search for available devices, among which are often incorrectly configured routers—either those available externally for direct connection (e.g., via protocols Telnet or SSH) or those that use other vulnerable services. The presence of a white IP address is an additional risk since such a device is available for direct connection from anywhere in the world, while routers with grey addresses are available only from the provider's local network.

Until now, we’ve been talking about an attack carried out on a router externally. But it is also possible (and much easier) to do so from a local network. A router can be compromised by a trojan—after infecting a computer, it will attempt to access a network device, for example, by cracking passwords. It is a rather effective method, considering that many routers are protected with a default password. In addition, even if they are protected with a custom password, most routers do not respond to brute force attempts. For example, Trojan.Rbrute is one such trojan.

The above-mentioned problems are widespread, including the fact that users go for years without updating their routers—there are a huge number of vulnerable and already compromised network devices all over the world. This begs the question: why did the manufacturers not deploy a mandatory automatic update system? There are several reasons for this.

First, an important channel can be organised via a router, and once underway, the installation of new firmware will lead to a communication breakdown. In some cases, it can be critical, so the process requires a human control.

Second, a sudden power loss during the updating process is likely to turn a device into a useless "brick". Do you often connect your router to an uninterruptible power supply?

Third, each piece of hardware has its own lifetime—a period during which the manufacturer releases updates for it. Manufacturers are not interested in old devices, but they can in fact work for years.

Finally, a notification system, which would simply check for available updates and prompt the user to install them, can be perceived by the latter as an unnecessary and disturbing function that needs to be disabled as soon as possible. Therefore, manufacturers often follow the path of least resistance.

It is worth noting that the most modern devices incorporate automatic update systems. However, the above-mentioned problems also fully apply to them.

So, what can we do? The answer is to show reasonable awareness and check for updates yourself, and install the latest firmware on your routers. The same applies to maintaining your numerous gadgets and smart devices. The Internet of Things is rapidly developing, and many manufacturers are trying as quickly as possible to win this or that segment of the market. The rush during the development process affects security. Therefore, do not ignore updates. If there is a "patch"—it means there was a "hole".