SOHO Attacks: Why Home Offices Need to be Part of Your Organization’s Security Strategy

What is ZuoRAT and how does it work?

Remote Access Trojans (RAT’s) have existed since the 1990’s. They are malicious software designed to remotely control an infected computer, while remaining undetectable. What makes the newly discovered ZuoRAT unique is that it appears to be a highly organized, potentially state-sponsored hacking campaign specifically targeting remote workers and their unsecure home networks, which have exploded in number with the pandemic.

Once acquiring access, ZuoRAT can install malware to gain access to device, network, and personal information, hijack communications within that Local Area Network (LAN), download and upload files, and spread to other devices. “ZuoRAT” is especially difficult to detect, as it has the sophistication to use LAN access to rotate through proxy routers and remain invisible.

What makes SOHO routers vulnerable?

What makes Small Office/Home Office (SOHO) routers vulnerable is that they are often not maintained properly or monitored closely by professional network administrators. The average person will install a router and not touch the device or network settings again; not realizing that they can and should take additional measures to make their network more secure. They also may not realize that malware affecting their home network may also affect their organization and adjacent networks.

How can you protect yourself, your organization, and your router at home?

If you are employing a partial or full remote workforce, it is important that SOHO protection is a part of your security strategy, especially with new highly sophisticated and malicious threats like ZuoRAT. Here are a few ways you and your remote workforce can protect your SOHO routers and organization:

  • Using a router from your Internet Service Provider (ISP) may be the easiest way to help ensure your router’s integrity. ISP’s generally will update firmware regularly, and replace your router as needed. Even if you are using a router from your ISP, you can still contact them to confirm you have a new model and that firmware updates will occur automatically.
  • If you are using your own router:
    • Register your device with the manufacturer, so that you receive any important updates related to your router and its security.
    • Replace your device every 3-4 years so that you have the latest, most secure technology.
    • If you have a router that is fairly new, login to confirm it is automatically updating firmware, and ensure the firmware is current. Modern routers should provide timestamps for firmware updates, which you can cross-check against the maker’s website.
  • Whether you are using a router from your ISP or using your own, we recommend taking the following steps:
    • As soon as you acquire any new router, be sure to change the username and password for your device from the default information provided. Hackers often have knowledge of default passwords.
    • Regularly change your network and router passwords, making them unique and secure including letters, numbers, and symbols when possible.
    • Set up a guest network for visitors and disable it when not needed. Guests will be able to use internet but will not be able to access shared files or other devices.
    • Disable your wireless network while you are not home; if you cannot disable it easily on a regular basis, at least turn it off when you are away from home for an extended period. Hackers cannot access a device that is offline.
    • Turn on WiFi network encryption, which will encrypt data between your network and your connected devices. Without encryption, a hacker can view all your internet activity.
    • As part of a routine check, ensure your firewall is enabled on your router
    • Disable remote access to your device. Remote access allows you to manage your network while you are away from home, which means potential hackers can, too.

How do I know if my SOHO network may be compromised?

There are some obvious signs that your devices have been compromised, including locked data on your computer with ransom messages and bogus antivirus popup messages. Others are more subtle, including slow internet speeds or your programs crashing unexpectedly. Others are even harder to find and require some investigation – like reviewing your router’s management page see if there are unknown devices connected to your network and looking through installed software for anything new that you do not recognize.

The easiest way to see if your router is compromised is to use this free tool provided by cyber security company F-Secure.

What should I do if my SOHO network may be compromised?

Rebooting your router can clear out RAT’s including ZuoRAT, but it is best to do a factory reset if you have cause for concern. Then, set up your router using the best practices outlined in this article. If available, immediately alert your IT team to make them aware.

Questions about whether your employees are taking the right precautions at home? Contact us to discuss.