FlagThis - #routersecurity

The UK's National Cyber Security Centre (NCSC) has issued warnings regarding the growing cyber threats intensified by artificial intelligence and the dangers of unpatched, end-of-life routers. The NCSC's report, "Impact of AI on cyber threat from now to 2027," indicates that threat actors are increasingly using AI to enhance existing tactics. These tactics include vulnerability research, reconnaissance, malware development, and social engineering, leading to a potential increase in both the volume and impact of cyber intrusions. The NCSC cautioned that a digital divide is emerging, with organizations unable to keep pace with AI-enabled threats facing increased risk.

The use of AI by malicious actors is projected to rise, and this poses significant challenges for businesses, especially those that are not prepared to defend against it. The NCSC noted that while advanced state actors may develop their own AI models, most threat actors will likely leverage readily available, off-the-shelf AI tools. Moreover, the implementation of AI systems by organizations can inadvertently increase their attack surface, creating new vulnerabilities that threat actors could exploit. Direct prompt injection, software vulnerabilities, indirect prompt injection, and supply chain attacks are techniques that could be used to gain access to wider systems.

Alongside the AI threat, the FBI has issued alerts concerning the rise in cyberattacks targeting aging internet routers, particularly those that have reached their "End of Life." The FBI warned of TheMoon malware exploiting these outdated devices. Both the NCSC and FBI warnings highlight the importance of proactively replacing outdated hardware and implementing robust security measures to mitigate these risks.


References :

• thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware. The warning also stresses the dramatic uptick in cyberattacks targeting aging internet routers, especially those deemed “End of Life†(EOL).
• Malware ? Graham Cluley: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
• Latest from ITPro in News: AI-enabled cyber attacks exacerbated by digital divide in UK
• NCSC News Feed: UK critical systems at increased risk from 'digital divide' created by AI threats
• industrialcyber.co: NCSC warns UK critical systems face rising threats from AI-driven vulnerabilities
• www.tenable.com: Cybersecurity Snapshot: U.K. NCSC’s Best Cyber Advice on AI Security, the Quantum Threat, API Risks, Mobile Malware and More

Classification:

• HashTags: #CyberSecurity #AIThreats #RouterSecurity
• Company: NCSC
• Target: UK Retailers, Critical Systems
• Feature: cyber threats
• Malware: TheMoon
• Type: News
• Severity: Medium

The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.

The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network.

To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities.


References :

• Daily CyberSecurity: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
• The DefendOps Diaries: Exploitation of End-of-Life Routers: A Growing Cybersecurity Threat
• BleepingComputer: FBI: End-of-life routers hacked for cybercrime proxy networks
• Davey Winder: FBI Warns Of Router Attacks — Is Yours On The List Of 13?
• www.scworld.com: Attacks surge against antiquated routers, FBI warns
• bsky.app: The FBI IC3 has published a new PSA warning companies and home consumers that threat actors are exploiting old and outdated end-of-life routers to create massive botnets and that they should probably buy a new device
• BleepingComputer: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
• cyberinsider.com: FBI Warns Hackers Are Exploiting EoL Routers in Stealthy Malware Attacks
• www.bleepingcomputer.com: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
• bsky.app: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
• thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware. The warning also stresses the dramatic uptick in cyberattacks targeting aging internet routers, especially those deemed “End of Life†(EOL).
• thecyberexpress.com: TheMoon Malware Targets Aging Routers, FBI Issues Alert
• The Hacker News: BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation
• securityonline.info: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
• securityaffairs.com: The FBI warns that attackers are using end-of-life routers to deploy malware and turn them into proxies sold on 5Socks and Anyproxy networks.
• www.techradar.com: FBI warns outdated routers are being hacked
• thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware.
• BleepingComputer: Police dismantles botnet selling hacked routers as residential proxies
• thecyberexpress.com: Law Enforcement Takes Down Botnet Made Up of Thousands of End-Of-Life Routers
• techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
• infosec.exchange: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
• techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
• www.justice.gov: A joint U.S.-Dutch law enforcement operation has taken down a botnet-for-hire that was comprised of thousands of end-of-life routers. The U.S. Department of Justice (DOJ) announced the unsealing of an indictment charging four foreign nationals with conspiracy and other alleged computer crimes for operating the botnets.
• www.csoonline.com: The FBI is warning that cybercriminals are exploiting that are no longer being patched by manufacturers. Specifically, the “5Socks†and “Anyproxy†criminal networks are using publicly available exploits and injecting persistent malware to gain entry to obsolete routers from Linksys, and Cradlepoint.
• The Register - Security: The FBI also issued a list of end-of-life routers you need to replace Earlier this week, the FBI urged folks to bin aging routers vulnerable to hijacking, citing ongoing attacks linked to TheMoon malware. In a related move, the US Department of Justice unsealed indictments against four foreign nationals accused of running a long-running proxy-for-hire network that exploited outdated routers to funnel criminal traffic.…
• iHLS: FBI Warns: Old Routers Exploited in Cybercrime Proxy Networks
• Peter Murray: FBI and Dutch police seize and shut down botnet of hacked routers
• The DefendOps Diaries: Explore the dismantling of the Anyproxy botnet and the global efforts to secure digital infrastructure against cybercrime.
• securityaffairs.com: Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercriminals services
• Anonymous ???????? :af:: BREAKING: $46M cybercrime empire busted. FBI & Dutch forces take down a botnet run on hacked home routers—active since 2004.
• www.itpro.com: FBI takes down botnet exploiting aging routers
• Metacurity: US feds seize two top botnet sites in Operation Moonlander
• Threats | CyberScoop: US seizes Anyproxy, 5socks botnets and indicts alleged administrators

Classification:

• HashTags: #Routers #Botnet #Cybercrime
• Target: End-of-life routers
• Product: Routers
• Feature: Botnet
• Malware: TheMoon
• Type: Malware
• Severity: Medium

DrayTek router owners across the globe experienced widespread connectivity issues recently as their devices became stuck in reboot loops. Internet service providers worldwide have alerted their customers to the problem, which began on Saturday night, affecting multiple DrayTek router models. The affected routers would intermittently lose connectivity and enter a boot loop, rendering them inoperable and disrupting internet services.

It is believed that the root cause of the reboot loops is attributed to either attacks exploiting unspecified vulnerabilities or a buggy software update pushed by DrayTek. Some experts suggest that the problem may be due to existing vulnerabilities that customers have neglected to patch. In addition, GreyNoise has observed in-the-wild activity against several known vulnerabilities in DrayTek devices. The vulnerabilities are CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124.

To address the issue, users experiencing unexpected disconnections are advised to disconnect the WAN cable, log into the router’s Web UI, and check the system uptime. DrayTek recommends checking the firmware version and ensuring that the latest version is installed and if remote access is enabled, disable it unless absolutely necessary. Users can view router logs and debug logs to identify potential causes of the reboot.


References :

• BleepingComputer: Many Internet service providers (ISPs) worldwide are alerting customers of an outage that started Saturday night and triggered DrayTek router connectivity problems.
• V is for...: "Since 21:30 yesterday evening we have witnessed an unusually high volume of session drops, primarily impacting BT Wholesale and TalkTalk broadband sessions. The cause has been narrowed down to vulnerable firmware versions on Draytek routers." Shock horror. Draytek suck.
• BleepingComputer: DrayTek routers worldwide go into reboot loops over weekend
• The Register - Security: Hm, why are so many DrayTek routers stuck in a bootloop?
• The DefendOps Diaries: Understanding the DrayTek Router Reboot Loop Crisis
• bsky.app: This looks like some threat actor tried to exploit vulnerabilities in DrayTek Vigor routers.
• The GreyNoise Blog: Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers
• GreyNoise: GreyNoise is bringing awareness to in-the-wild activity against multiple known vulnerabilities in DrayTek devices.
• www.cybersecuritydive.com: DrayTek routers face active exploitation of older vulnerabilities
• securityonline.info: Recent reports have highlighted widespread issues with DrayTek routers, including numerous reboots in the UK and Australia, and
• The Hacker News: CISA Flags Two Six-Year-Old Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices
• Risky Business Media: Ukraine’s state railway hit by a cyberattack, a ransomware attack reduces Malaysia’s largest airport to writing flight details on a whiteboard, buggy exploits put DrayTek routers in a reboot loop, and the NIST CVE backlog grows bigger despite efforts to address it.

Classification:

• HashTags: #DrayTek #Router #Cybersecurity
• Company: DrayTek
• Target: DrayTek router owners
• Product: Routers
• Feature: bootloop
• Type: HighRisk
• Severity: Medium