Cybercriminal Services Target End-of-Life Routers, FBI Warns

The Federal Bureau of Investigation (FBI) has issued a FLASH alert warning about the rise of malicious services targeting end-of-life (EOL) routers. These attackers are using vulnerable devices to deploy malware and turn them into proxies sold on dark web marketplaces like 5Socks and Anyproxy.

End-of-life routers, which no longer receive security updates from their manufacturers, have become a lucrative target for cybercriminals. By exploiting known vulnerabilities in these devices, threat actors can gain unauthorized access to the router, allowing them to deploy malware and turn it into a proxy server. This allows attackers to establish botnets used in coordinated attacks or sell compromised routers on the dark web.

"The threat actors use the device's known vulnerabilities to upload the malware, which ultimately allows the threat actor to gain root access to the device and make configuration changes," reads the FBI alert. "Chinese cyber actors are also among those who have taken advantage of known vulnerabilities in end-of-life routers and other edge devices to establish botnets used to conceal hacking into US critical infrastructures."

In a coordinated effort, infected routers form part of these botnets, which can be used for targeted attacks or sold as proxies on the dark web. Once installed, the malware allows threat actors to achieve persistent access, allowing regular communication with the device every 60 seconds to five minutes to maintain control and availability for customers.

The malware spreads through internet-connected devices with remote access enabled, and attackers can gain shell access even with password protection. The malware uses a two-way handshake with a C2 server for regular check-ins and opens ports on the router to enable its use as a proxy server.

What Can You Do to Protect Yourself?

The FBI recommends that users take immediate action to protect themselves from this threat. Here are some steps you can take:

• Identify if any of your devices vulnerable to compromise are part of your networking infrastructure and replace them with newer models that remain in their vendor support plans.
• Disable remote administration on your router and reboot the device to prevent infection.

The FBI has published indicators of compromise (IoCs) associated with attacks targeting end-of-life routers, as well as mitigations. By taking these steps, you can help protect yourself from this growing threat.

Follow me on Twitter: @securityaffairs and Facebook for the latest updates on cybersecurity threats and tips on how to stay safe online.