The FBI is warning that cybercriminals are exploiting end-of-life (EOL) routers that are no longer being patched by manufacturers.
Specifically, the “5Socks” and “Anyproxy” criminal networks are using publicly available exploits and injecting persistent malware to gain entry to obsolete routers from Linksys, Cisco and Cradlepoint. Once compromised, the devices are added to residential proxy botnets that obscure attackers’ origins so they can engage in malicious activity or launch ransomware campaigns.
The agency advises that these old devices be immediately replaced, or at the very least rebooted and remote administration disabled.
“If a business is using one of these routers, they’re setting themselves up for attacks on their infrastructure,” said David Shipley of Beauceron Security. “Most likely, this will be small businesses without a firewall, and this could lead to things like ransomware attacks.”
Hackers can obfuscate their location, gain administrative access
The FBI’s FLASH advisory, released to quickly disseminate information about critical cybersecurity issues to security teams and system admins, explicitly calls out 13 Linksys, Cradlepoint, and Cisco models being commonly hijacked. These include:
Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N, WRT610N
Cradlepoint E100
Cisco M10
Threat actors, notably Chinese state-sponsored actors, are successfully exploiting known vulnerabilities in routers exposed to the web through pre-installed remote management software, according to the FBI. They then install malware, set up a botnet, and sell proxy services or launch coordinated attacks.
“The proxies can be used by threat actors to obfuscate their identity or location,” the agency warns. Essentially, dangerous traffic appears to originate from innocent home networks instead of the attacker’s location.
Threat actors scan the internet to find exposed routers, then bypass authentication methods (including passwords) to gain administrative access and make configuration changes. Through persistent access, they regularly communicate with the device (every 1 to 5 minutes) to ensure it is still compromised and can continue to be exploited. The malware sends information via a command and control (C2) server that has a “two-way handshake” with the router, the FBI explains.
EOL routers are being breached with variants of TheMoon malware botnet, which was first discovered in 2014 and bypasses security, likely by leveraging known vulnerabilities, to infect routers.
“These devices can be used for reconnaissance, doing things like network scans or as part of a private Tor network to hide from activities from security tools or conceal threat actors in post-incident investigations,” Shipley explained.
Difficult to detect
Often, it can be difficult for end users to know whether their device is compromised because antivirus tools can’t scan them. The FBI has provided a list of files associated with exploitation campaigns to help determine vulnerability.
“Users are often not aware that their routers are out of date and vulnerable,” said Johannes Ullrich, dean of research for SANS Technology Institute. In addition, he noted, there is no clear indication in most cases telling users that a router will soon lose support.
“Unless users regularly check with the vendor, they may not realize that the router no longer receives updates,” said Ullrich.
The FBI says indicators of compromise can include connectivity or performance issues (such as frequent crashing), unusual network traffic, changed configurations, and the appearance of new (rogue) admin accounts.
Ultimately, if possible, “these devices should be replaced with newer models that remain in their vendor support plans to prevent further infection,” the agency advises.
If immediate replacement isn’t possible, users should disable remote administration, change all credentials (using strong passwords that are “unique and random” and contain at least 16 but no more than 64 characters), install the latest firmware, and reboot the device to clear any in-memory malware.
EOL devices are easy targets
EOL network devices are increasingly being exploited by cybercriminals. Cisco Systems’ Talos threat intelligence unit found that, in 2024, two of the top three vulnerabilities threat actors attempted to exploit were in EOL devices no longer receiving patches.
These include network attached storage devices from D-Link (CVE-2024-3273 and CVE-2024-3272) and Check Point Software’s Quantum Security Gateways (CVE-2024-24919). The three CVEs accounted for more than half of network device vulnerabilities in 2024.
The FBI points out that routers dated 2010 or earlier are likely no longer receiving software updates from the manufacturer and could be easily compromised through known vulnerabilities.
“The ‘end of life’ of routers and similar hardware is a huge problem,” said Ullrich, noting that the SANS Institute’s honeypot sensors see a few hundred attacks each day just for one single Netgear vulnerability. “This vulnerability is about 10 years old, but still heavily probed.”
To mitigate vulnerability issues, he recommends a simple monthly calendar reminder to check if there are any updates for devices, including network routers, firewalls, or related equipment. When purchasing new equipment, users should also attempt to identify its EOL date and write it directly on the device.
“End of life devices must be replaced with newer, supported devices as soon as practical,” he emphasized.
No Responses