FBI Sounds Alarm on Rogue Cybercrime Services Targeting Obsolete Routers
The Federal Bureau of Investigation (FBI) has issued a warning about the growing threat of rogue cybercrime services targeting obsolete routers, leaving them vulnerable to exploitation. According to the FBI's recent report, threat actors are exploiting known vulnerabilities in end-of-life (EOL) routers to compromise these devices, which are no longer receiving security updates and patches.
Edge devices have become prime targets for cyber threat actors, particularly routers that are no longer supported by their vendor. This has led to the emergence of a malicious network associated with two well-known proxy services: Anyproxy and 5Socks. The domains of both proxy services have been seized by law enforcement as part of the FBI's efforts to disrupt these illicit activities.
The FBI report highlights the tactics, techniques, and procedures (TTPs) used by threat actors in exploiting these vulnerable routers. A key method involved using remote management software (RMM) that was pre-installed on the devices. This allowed them to bypass authentication protection and gain shell access to the routers.
Once access to the routers was gained, cybercriminals installed malware and used the compromised devices as part of a botnet, which they could control to launch coordinated attacks or sell access to the devices as proxy services. The malware communicated with a command-and-control (C2) server through a two-way handshake between the server and the routers.
The C2 server performed regular check-ins with the routers and opened ports to make them available to users as proxy servers. These proxy services, associated with the Anyproxy and 5Socks networks, could then be utilized by other cybercriminals to conceal their tracks while engaging in illicit activities online.
While the FBI did not attribute the attacks at this time, an advisory noted that Chinese cyber actors are also among those who have taken advantage of known vulnerabilities in end-of-life routers or other edge devices to establish botnets used to conceal hacking into US critical infrastructure.
Risk to End-User Devices
Since the malware is router-based, it is difficult for an end-user to know if their device is compromised due to the inability of antivirus tools to scan these devices. This highlights the importance of upgrading to newer models or disabling remote administration and rebooting the router as recommended by the FBI.
FBI Recommendations
The FBI advisory advises replacing any routers vulnerable to known flaws with newer models. Additionally, they recommend disabling remote administration of the device and rebooting it to reduce the risk of exploitation.
Addressing End-of-Life Notices
A recent coalition of major tech vendors, including Cisco, Microsoft, and IBM, has published a new update on 'OpenEoX,' a framework supported by the OASIS Open consortium to standardize the way companies announce when their products will no longer receive security patches or support. The draft standard aims to address the issue of end-of-life notices being scattered, inconsistently worded, and hard to track.
Importance of Cybersecurity Awareness
The recent report by the FBI highlights the importance of cybersecurity awareness for individuals and organizations alike. It serves as a reminder that even seemingly innocuous devices like routers can be vulnerable to exploitation if not properly maintained or updated. By staying informed and taking proactive measures, we can reduce the risk of falling victim to these types of attacks.
References
The FBI has released a FLASH report sharing indicators of compromise (IOCs) and TTPs associated with Anyproxy and 5Socks proxy services. You can access the report through the link provided in the tweet below: