Is Your Compromised Router Working for Hackers?

5Socks, Hackers, Online Proxy, Ophtek, Routers, The Moon, , , , ,
03
Jun 2025

The FBI has warned that outdated routers are being hijacked by cybercriminals to hide illegal activity and build massive, untraceable proxy networks.

The FBI has recently issued a security alert which is of interest to anyone who logs onto the internet on a daily basis. The alert centers upon outdated internet routers which are being targeted by cybercriminals. The routers at the heart of this attack all have one thing in common: they’re no longer supported by their manufacturers. These vulnerable devices, therefore, are perfect for the attackers to exploit and turn them into tools for cybercrime. As the threat actors are combining these compromised routers into huge proxy networks, identifying the perpetrators behind the attack is fiendishly difficult.

How Have the Routers Become Compromised?

The attack relies on a strain of malware called “TheMoon,” which is used to infect end-of-life (EoL) routers. An EoL device is one which no longer receives any firmware or security updates from its developer, typically as the device is of a certain age and has been superseded by more modern devices. This EoL status makes these devices a major security risk as there’s no protection against newly discovered vulnerabilities. Once compromised, these routers become part of a network of proxies used by the attackers to shield their identities when committing crimes online.

Routers at risk of this attack include EoL routers from popular brands such as Linksys, Cisco, and Cradlepoint. Once the attacker gains access to the router, they have all the time in the world to install the malware, which connects the router to a command-and-control server. The router can then be used to recruit other compromised devices and re-route malicious internet traffic. In particular, these proxies have been observed to be involved in cryptocurrency theft, Malware-as-a-Service activities and general data theft. And, due to the stealthy nature of the attack, the victim will have no idea what’s taking place.

The infected routers are also being sold as part of proxy-for-hire services like 5Socks and Online Proxy. These are underground networks where hackers can purchase access to compromised routers, allowing other them to disguise their malicious tracks by appearing to connect from genuine and trusted IP addresses. This innovative approach helps protects the trackers true destination from any law enforcement investigations and, instead, appears to incriminate innocent homes and businesses.

The FBI has also revealed that some of the compromised routers appear to have been used by Chinese-sponsored hackers to attack major US infrastructures, indicating a professional operation designed to create maximum damage.

How Do You Keep Your Router Safe?

This latest attack may be stealthy, but there are often telltale signs that your router has been compromised. Slower internet speeds, for example, are a common side-effect caused by the lack of resources available for genuine tasks. The increased activity can also lead to overheating alongside the appearance of new administrator accounts, and unusual internet traffic patterns.

In order to maintain the security of your router, make sure you follow these steps:

  1. Upgrade Your Hardware: If your router is no longer supported by the manufacturer with security updates, you have no alternative but to replace it. This is the single most effective way to block attacks of this nature and failing to do so will instantly increase the chances of your defenses being breached.
  2. Change Default Passwords: Routers are well known for being shipped with default passwords, which represents a major security risk. Accordingly, it’s vital that you always change default usernames and passwords before any routers are made active on your network.
  3. Monitor Your Network: Install firewalls, intrusion detection systems, and network monitoring tools to record and identify any abnormal traffic patterns or device behavior. The earlier these are the detected, the quicker you can limit the impact of the breach.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Default Passwords Cause Havoc for Juniper Routers

business router, default passwords, educate staff, Jupiter, Mirai botnet, monitor network, multi factor authentication, router, , , , , , ,
14
Jan 2025

Strong passwords are vital to cybersecurity. A recent botnet attack highlights the serious risks of relying on default passwords instead of secure alternatives.

The Mirai malware, first detected in 2016, has been behind numerous botnet attacks in the past and has been very busy recently. A botnet attack gives a threat actor control over a large number of compromised PCs, allowing the threat actor to combine these infected PCs into a formidable strike force. These attacks often involve data theft, cryptojacking, brute force attacks, and phishing campaigns.

This latest attack was enabled by the presence of default passwords on routers manufactured by Juniper Networks. Default passwords are used on many devices, so it’s important to understand the mechanics behind this attack.

Mirai Starts Infecting Routers

The exploitation of Juniper routers began in mid-December. Customers accessing the internet with Juniper Session Smart routers began to notice unusual behavior with them. The Mirai malware was seen to be scanning specifically for these routers. Once this model of router was found, Mirai proceeded to compromise the router before utilizing it in a distributed-denial-of-service (DDoS) attack.

But what was unique about the Session Smart router? Why was Mirai singling this router out? Well, the answer proved to be simple: it was a router known to ship with a default password. Therefore, a threat actor could easily take control of the router if its password hadn’t been changed. Scan enough Session Smart routers and, eventually, one will be found with the default password still in place.

The main impact of a DDoS attack is a slowdown in PC performance, as all the PC’s resources are being directed into the attack. For a business, this is troubling as the majority of their PCs are likely to be dependent on similar routers. This means that this slowdown in productivity could have a major impact on a business’ performance.

Don’t Fall Victim to Default Passwords

Users of Session Smart routers have been advised to change their password from the default version to a unique and strong one. This is the best advice you can give when it comes to default passwords. Leaving them in place is simply inviting threat actors into your networks. However, there are further measures you can take to secure your devices:

  • Educate Users About Risks: Train your employees to understand the dangers of default passwords. Make sure they understand what is and isn’t a secure password, helping to build a culture of cybersecurity awareness.
  • Use Multifactor Authentication: The beauty of multifactor authentication is that it adds an extra layer of security to your defenses. Therefore, even if one of your passwords is compromised, additional authentication is required to access your devices and networks.
  • Monitor for Default Password Usage: It’s difficult to monitor every device and verify the status of its password, but you can get help with this. Many security tools – such as Kaspersky Industrial CyberSecurity for Networks – can scan devices connected to a network and determine if a default password is being used.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Cuttlefish Malware is Putting Your Routers at Risk

bash script, brute force hacking, Cuttlefish, Data Breach, HiatusRAT, malware, Ophtek, router firmware update, zero-day vulnerabilities, , , , , , , ,
11
Jun 2024

A new strain of malware, dubbed Cuttlefish, which attempts to hijack your router has been discovered, and it poses a major threat to your data.

The experts at Black Lotus Labs recently discovered a number of routers had been compromised by a previously unseen malware. The security researchers named the malware Cuttlefish, and found it had compromised numerous enterprise-level and small office/home routers. The threat actors are not currently known, but the main impact of Cuttlefish is that it stealthily steals data once it has a foothold. Data breaches, of course, represent a major incident for businesses, so it’s crucial you keep your routers safe.

Decoding the Danger Behind Cuttlefish

The exact attack method behind Cuttlefish is unknown, but it’s been revealed there are similarities between its source code and that of the HiatusRAT malware. Black Lotus Labs believe Cuttlefish may launch its attack either through a zero-day vulnerability or by using good old fashioned brute force hacking methods.

Whatever the nature of its attack, which was first executed in July 2023, Cuttlefish hands control of the compromised router over to a set of threat actors. This is achieved by instructing an infected router to execute a Bash script – a text file containing a set of commands – which sends data to a remote Command & Control (C2) server. The first action taken by the C2 server is to send back the Cuttlefish malware, this is then installed on the compromised router.

From here, Cuttlefish can monitor all traffic passing through the router and any devices connected to it. Cleverly, Cuttlefish is designed to establish a VPN tunnel, which is then used to extract sensitive data, such as login credentials, from the router’s traffic. These attack methods mark Cuttlefish out as a highly stealthy and dangerous strain of malware, one with the ability to expose and misuse confidential data.

Fighting Back Against the Threat of Cuttlefish

As very little of the mechanics behind Cuttlefish are known, it’s difficult to pinpoint a single solution. For now, all the attacks have been focused on routers based in Turkey. But this can quickly change if threat actors behind Cuttlefish decide to start targeting global victims.

While there isn’t, for example, a simple security patch to install, you can still protect your organization’s routers by following these best security practices:

  • Always Install Updates: routers, like all hardware, rely on firmware updated and patches to maintain their security and maximize performance. But not everyone prioritizes installing these updates. And this approach can put your router at risk of being exploited by a vulnerability. Therefore, where possible, automate updates for your routers (and all devices) or manually install updates as soon as possible.
  • Regularly Change Your Router Credentials: it’s vital you regularly change the password associated with your router. Otherwise, you run the risk of allowing external threats to essentially live on your router. And as well as regularly changing your password, it’s important that you generate strong and unique passwords every time.
  • Monitor Network Traffic: unusual activity on your network, such as high-volume traffic to unknown destinations should always be scrutinized. Accordingly, you need to implement specialized software and hardware tools to analyze your network traffic and raise alerts when abnormal traffic patters are detected. This will maintain both the integrity and security of your network.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More