Volt Typhoon News, Warnings, and Advice

2 min read

There have been many news stories and warnings from the FBI and DHS regarding the Chinese state-sponsored cyber group known as Volt Typhoon. This group is known to be establishing a persistent footprint in U.S. technology, which is reported to be for the purpose of destabilizing the country’s infrastructure in the event that conflict breaks out in Taiwan.

One of the methods used by this group is the compromise of consumer-grade networking equipment, which is primarily in use in homes and which have now become part of the “attack surface” of remote workers and their organizations. The vulnerable products are older, end-of-life products from the manufacturers Netgear and Cisco. Zyxel home cable modems have also recently been compromised. Once compromised, these products are used as a command-and-control network and to launch denial of service attacks that flood critical services with so much traffic that they fail.

Here are some tips for securing the organization that you access for remote work, which will enhance the security of our organization.

  1. Inquire with your ISP about their patching process for the products they supply, including cable modems and DSL routers.
  2. Ensure that these devices are NOT open to the Internet for administrative login. This will require you to connect to the device and log in as administrator; the admin password should be printed on a sticker on the back of the device. On most routers, this will be a setting that says something to the effect of Allow Remote Access. Uncheck the box and save your settings. If in doubt, search for your brand of router with the phrase “disable remote access.”
  3. Use a unique passphrase to connect devices to your home WiFi. An example of a good phrase will contain lower/uppercase letters, numbers, symbols, and be 16 characters or more. Example: Burritos&SalsaKeeps24PeopleFed
  4. Change the password for the administrative login and store it in a safe place.
  5. Review your own commodity products and replace them if they are end of life as they cannot be updated for security any longer.
  6. Check regularly for updated software (patches) for your home router. Log in to the router as the administrator and look for a button to “check for updates”. This should be done on a monthly basis at a minimum.
  7. If your devices are NOT end of life, use a search engine to find the process to update, acquire any available updates from the manufacturer and apply them. This will entail connecting to the device over a wired (not wireless) network using a browser, with the IP address of the device as the URL for access.
  8. Turn off Universal Plug and Play (UPnP). UPnP offers some conveniences such as not having to do any manual configuration to connect your wireless TV to the WiFi, however it exposes the home network, and any devices using that network, to significant risk. Go into your routers settings and look for an option to disable UPnP.
  9. Turn off WiFi Protected Setup (WPS). WPS is used to simplify connecting to your WiFi without using a password, however it exposes your network to significant risks. WPS can be disabled after logging in to the router as an administrator.
  10. Change the network name (SSID – Service Set Identifier). The SSID is the network name you use when logging onto your WiFi using a device. Most SSIDs default to the name/type of router you have which may allow an attacker to discover vulnerabilities that they can use against that device.
  11. Ensure network encryption is WPA3. If you do not have WPA3 available, you may use WPA2. Any other encryption will be easy for an attacker to decrypt and use the information to attack your router.

Taking these steps will help to ensure the continuity of our own services and operations, and limit the ability of these threat actors to use our own technology against us.