FBI Reports: Legacy Routers Compromised for Cybercriminal Proxy Networks

The FBI has issued a warning regarding the exploitation of end-of-life (EoL) routers by threat actors who deploy malware to transform these devices into proxies for sale on the 5Socks and Anyproxy networks.

EoL routers, which have not received security updates from manufacturers for many years, are particularly vulnerable to external attacks that leverage publicly available exploits to inject persistent malware. Once compromised, these routers become part of residential proxy botnets, funneling malicious traffic. Cybercriminals frequently use these proxies for various illegal activities, including cyberattacks.

The FBI’s advisory states, “With the 5Socks and Anyproxy network, criminals are selling access to compromised routers as proxies for customers to purchase and use.” These proxies are utilized by threat actors to conceal their identities and geographical locations.

The following EoL models have been identified as common targets:

– Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
– Linksys WRT320N, WRT310N, WRT610N
– Cradlepoint E100
– Cisco M10

Moreover, the FBI warns that Chinese state-sponsored actors have leveraged known vulnerabilities in these routers to execute covert espionage campaigns, including operations that target critical U.S. infrastructure.

A related bulletin confirms that numerous routers have been infected with a variant of “TheMoon” malware, which enables threat actors to configure the devices as proxies. The bulletin notes, “End of life routers were breached by cyber actors using variants of TheMoon malware botnet.” It states that some EoL routers with remote administration enabled have been compromised by a new variant of TheMoon malware, facilitating anonymous cybercrime activities.

Compromised routers connect to command and control (C2) servers to receive commands, such as scanning for and further compromising vulnerable devices across the Internet. The FBI highlights that these proxies aid in evading detection during various illicit operations, including cryptocurrency theft and cybercrime-for-hire activities.

Common indicators of compromise by a botnet include disruptions to network connectivity, overheating, performance degradation, unauthorized configuration changes, the emergence of rogue administrative users, and atypical network traffic patterns.

To mitigate the risk associated with botnet infections, organizations are advised to replace EoL routers with new, actively supported models. If replacement is not feasible, it is critical to apply the latest firmware updates sourced directly from the vendor’s official download portal, change default administrative credentials, and disable remote administration features.

The FBI has also provided indicators of compromise associated with the malware affecting EoL devices, equipping organizations with the tools necessary to protect against these growing threats.