Work From Home Increases Risk Of Cyberattacks Via SOHO Routers

Have you heard? There is a growing trend towards structured hybrid work arrangements, where employees work both from home and in the office, indicating a decline in full-time in-office arrangements. Organizations in the US are increasingly offering flexibility to their employees, with 62% now providing work location flexibility, as opposed to only 38% preferring full-time office work. According to reports, flexible companies outperform their peers, posting 16% higher revenue growth.  

Work-from-home is clearly here to stay, and both sides of the employment relationship appear to benefit. 98% of workers want freedom to work from home. As of 2023, 12.7% of full-time employees work remotely, while 28.2% adopt a hybrid model. Estimates indicate that by 2025, 32.6 million Americans will work remotely - about 22% of the total workforce. 

From a security standpoint, work-from-home poses several distinct IT security risks. Employees who use BYOD (Bring Your Own Device), COPE (Corporate Owned, Personally Enabled), run a higher risk of infected devices gaining unauthorized access to corporate network resources, and a remote worker's local network may include vulnerable Small Office and Home Office (SOHO) devices, including routers and IoT devices.

In this article, we will review the details of a recent DDoS campaign from the Volt Typhoon botnet that leveraged vulnerable SOHO routers and the subsequent CISA advisory calling for more security features in SOHO routers. Compromised SOHO routers pose a significant risk to enterprise IT operations since they offer attackers a Adversary-in-the-Middle (AitM) position, which can lead to a host of attacks.

DDoS Attack Against US Critical Infrastructure Used SOHO Routers

SOHO routers were recently used in a spate of DDos attacks against US critical infrastructure that lead to emergency action by the FBI to "hack-back" and disable the botnet. The compromised routers were part of a botnet controlled by the Volt Typhoon hacking group, which used them to conduct distributed denial-of-service (DDoS) attacks. Malware installed on the routers encrypted the communication between the hackers and the compromised devices using a VPN module, obscuring the origin of the attacks.

The botnet, which consisted mainly of Cisco and Netgear devices that had reached their end of life, were infected with KV Botnet malware and used to attack US critical infrastructure. Exploitation was facilitated by vulnerabilities in the routers' firmware and the lack of security updates due to their end-of-life status. Before the takedown, FBI agents obtained authority from a federal judge for the seizure of infected routers and then conducted a takedown operation to disinfect hundreds of infected routers, preventing the hackers from accessing them, and removing the KV Botnet malware.

Who is Volt Typhoon?

Volt Typhoon is a hacking group associated with the People’s Republic of China (PRC) that has been active since at least 2021. The group is responsible for recent hacks that leveraged a botnet of SOHO routers used to launch DDoS attacks targeting US infrastructure.  Although this Volt Typhoon campaign was first identified in May 2023, the group broadened their operations in early 2024.

Volt Typhoon is known to employ "Living Off The Land" attack techniques in campaigns against critical infrastructure in Europe, North America, and the Asia Pacific, with a focus on compromising routers and network edge devices, particularly those manufactured by Cisco Systems. The Volt Typhoon is considered a high risk for disrupting IT infrastructure between the US and Asia during future crises, particularly related to tensions over Taiwan.

CISA Urges "Secure By Design" For SOHO Devices

In response to the increased risk, CISA has urged SOHO router and IoT device manufacturers to implement a Secure By Design approach to SOHO product design and delivery, shifting the burden of cybersecurity away from consumers and ensuring greater security is delivered out-of-the-box.  

CISA's advisory outlines several steps device manufacturers should take to increase default security including:

• Conduct security testing prior to product release: Device vendors should remove exploitable defects in web management interfaces (WMIs) during product design and development phases, rather than treating security as an afterthought that can be handled through crisis management

• Include automatic update capabilities: While most consumer operating systems (OS) have been modernized with automatic updates, many SOHO and IoT devices have not.  This feature is critical to ensure that all devices receive security updates if and when security researchers uncover new vulnerabilities

• Allow login to management tools only on the LAN interface: configuring the web management interface (WMI) of the SOHO router to be accessible only through ports on the local area network (LAN) side of the router. This ensures that access to the management interface is restricted to devices within the local network, enhancing security by minimizing exposure to external threats

• Require manual interaction to adjust security settings: Security settings should be protected to prevent easy or automatic removal, requiring deliberate human intervention such as having a physical button on the device that must be physically pressed before an administrator can login to a device's WMI

Conclusion

There is an increasing risk of cyber attacks via Small Office/Home Office (SOHO) routers, particularly with the increasing trend towards remote work. Recent DDoS attacks on US critical infrastructure orchestrated by the Volt Typhoon hacking group, exploited vulnerabilities in end-of-life routers. 

The FBI's intervention to remove malware from infected devices underscores the severity of the threat. Furthermore, CISA's advisories stress the importance of secure product design in mitigating such risks. To bolster home network security, proactive measures like changing default passwords and conducting vulnerability scans are recommended. Ultimately, the evolving landscape of remote work necessitates heightened vigilance and proactive security measures to safeguard against emerging cyber threats.

Ready to learn more about emerging threats in the cyber landscape? Sign up for our newsletter (or reach out to our team directly today.)