FBI Issues Warning Regarding Malicious Services Aiming at Outdated Router Systems

Edge devices, particularly routers that no longer receive security updates, have become prime targets for cyber threat actors. Recently, reports from law enforcement have indicated that known vulnerabilities in these so-called end-of-life (EOL) routers are being exploited by threat actors.

The FBI has issued findings detailing how cybercriminals are exploiting vulnerabilities in obsolete routers, in a campaign associated with renowned proxy services, Anyproxy and 5Socks. These proxy services are utilized by criminals to obscure their online activities. Notably, law enforcement has seized the domains associated with both services.

The FBI’s advisory also provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) connected to these proxy services, highlighting serious security concerns.

Cybercriminal Networks Targeting EOL Routers

Investigation results reveal that a threat actor successfully exploited routers that were no longer supported by their manufacturers, suggesting the presence of unpatched software vulnerabilities. Although the FBI did not disclose the manufacturers, implicated models may include those from Cisco’s Linksys and Ericsson’s Cradlepoint.

The primary method of exploitation involved using pre-installed remote management software (RMM) on the affected devices, allowing attackers to bypass authentication and gain shell access. Once they accessed the routers, malicious software was installed, enabling the devices to be incorporated into a botnet. This botnet could then be used to launch coordinated attacks or provide access to other cybercriminals seeking to use these routers as proxy servers.

The malware fabricates a connection between the infected routers and a command-and-control (C2) server operated by the threat actor, facilitating communication and regular check-ins. This architecture allows cybercriminals to effectively control the compromised routers, using them for illicit activities without detection.

While no specific attribution was made, it was noted that Chinese cyber actors have also exploited vulnerabilities in EOL routers to establish hidden botnets, posing threats to critical infrastructure in the United States.

Recommendations from the FBI

In light of these vulnerabilities, the FBI emphasized the challenges users face in recognizing compromised routers, as traditional antivirus tools typically cannot scan such devices. Their recommendation is clear: users should replace vulnerable routers with updated models or disable remote administration features and reboot their devices.

Advancements in Security Standards

In a separate but related development, a coalition of major technology providers, including Cisco, Microsoft, and IBM, recently announced the ‘OpenEoX’ initiative. This framework aims to standardize notifications regarding the end of life for products, including when they will no longer receive security patches or support. Such standardization is critical in aiding organizations to manage outdated software and hardware effectively.

The OpenEoX framework seeks to provide a standardized data format that can be integrated into software bills of materials (SBOMs) and security advisories, enhancing the overall security posture of enterprises by ensuring they are informed well in advance about the lifecycle of their critical technologies.