{"id":3120,"date":"2025-05-09T23:06:40","date_gmt":"2025-05-09T23:06:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3120"},"modified":"2025-05-09T23:06:40","modified_gmt":"2025-05-09T23:06:40","slug":"fbi-warns-that-end-of-life-devices-are-being-actively-targeted-by-threat-actors","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3120","title":{"rendered":"FBI warns that end of life devices are being actively targeted by threat actors"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The FBI is warning that cybercriminals are exploiting <a href=\"https:\/\/www.csoonline.com\/article\/3951165\/volume-of-attacks-on-network-devices-shows-need-to-replace-end-of-life-devices-quickly.html\" target=\"_blank\" rel=\"noopener\">end-of-life (EOL) routers<\/a> that are no longer being patched by manufacturers.<\/p>\n<p>Specifically, the \u201c5Socks\u201d and \u201cAnyproxy\u201d criminal networks are using publicly available exploits and injecting persistent malware to gain entry to obsolete routers from Linksys, <a href=\"https:\/\/www.csoonline.com\/article\/3982055\/cisco-patches-max-severity-flaw-allowing-arbitrary-command-execution.html\" target=\"_blank\" rel=\"noopener\">Cisco<\/a> and Cradlepoint. Once compromised, the devices are added to residential proxy botnets that obscure attackers\u2019 origins so they can engage in malicious activity or launch ransomware campaigns.<\/p>\n<p>The agency advises that these old devices be immediately replaced, or at the very least rebooted and remote administration disabled.<\/p>\n<p>\u201cIf a business is using one of these routers, they\u2019re setting themselves up for attacks on their infrastructure,\u201d said David Shipley of Beauceron Security. \u201cMost likely, this will be small businesses without a firewall, and this could lead to things like ransomware attacks.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Hackers can obfuscate their location, gain administrative access<\/h2>\n<p>The FBI\u2019s <a href=\"https:\/\/www.ic3.gov\/CSA\/2025\/250507.pdf\" target=\"_blank\" rel=\"noopener\">FLASH advisory<\/a>, released to quickly disseminate information about critical cybersecurity issues to security teams and system admins, explicitly calls out 13 Linksys, Cradlepoint, and Cisco models being commonly hijacked. These include:<\/p>\n<p>Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N, WRT610N<\/p>\n<p>Cradlepoint E100<\/p>\n<p>Cisco M10<\/p>\n<p>Threat actors, notably Chinese state-sponsored actors, are successfully exploiting <a href=\"https:\/\/www.csoonline.com\/article\/3980423\/cve-funding-crisis-offers-chance-for-vulnerability-remediation-rethink.html\" target=\"_blank\" rel=\"noopener\">known vulnerabilities<\/a> in routers exposed to the web through pre-installed remote management software, according to the FBI. They then install malware, set up a botnet, and sell proxy services or launch coordinated attacks.<\/p>\n<p>\u201cThe proxies can be used by threat actors to obfuscate their identity or location,\u201d the agency warns. Essentially, dangerous traffic appears to originate from innocent home networks instead of the attacker\u2019s location.<\/p>\n<p>Threat actors scan the internet to find exposed routers, then bypass authentication methods (including passwords) to gain administrative access and make configuration changes. Through persistent access, they regularly communicate with the device (every 1 to 5 minutes) to ensure it is still compromised and can continue to be exploited. The malware sends information via a command and control (C2) server that has a \u201ctwo-way handshake\u201d with the router, the FBI explains.<\/p>\n<p>EOL routers are being breached with variants of TheMoon malware botnet, which was first discovered in 2014 and bypasses security, likely by leveraging known vulnerabilities, to infect routers.<\/p>\n<p>\u201cThese devices can be used for reconnaissance, doing things like network scans or as part of a private Tor network to hide from activities from security tools or conceal threat actors in post-incident investigations,\u201d Shipley explained.<\/p>\n<h2 class=\"wp-block-heading\">Difficult to detect<\/h2>\n<p>Often, it can be difficult for end users to know whether their device is compromised because antivirus tools can\u2019t scan them. The FBI has provided a <a href=\"https:\/\/www.ic3.gov\/CSA\/2025\/250507.pdf\" target=\"_blank\" rel=\"noopener\">list of files associated with exploitation campaigns<\/a> to help determine vulnerability.<\/p>\n<p>\u201cUsers are often not aware that their routers are out of date and vulnerable,\u201d said Johannes Ullrich, dean of research for SANS Technology Institute. In addition, he noted, there is no clear indication in most cases telling users that a router will soon lose support.<\/p>\n<p>\u201cUnless users regularly check with the vendor, they may not realize that the router no longer receives updates,\u201d said Ullrich.<\/p>\n<p>The FBI says indicators of compromise can include connectivity or performance issues (such as frequent crashing), unusual network traffic, changed configurations, and the appearance of new (rogue) admin accounts.<\/p>\n<p>Ultimately, if possible, \u201cthese devices should be replaced with newer models that remain in their vendor support plans to prevent further infection,\u201d the agency advises.<\/p>\n<p>If immediate replacement isn\u2019t possible, users should disable remote administration, change all credentials (using strong passwords that are \u201cunique and random\u201d and contain at least 16 but no more than 64 characters), install the latest firmware, and reboot the device to clear any in-memory malware.<\/p>\n<h2 class=\"wp-block-heading\">EOL devices are easy targets<\/h2>\n<p>EOL network devices are increasingly being exploited by cybercriminals. Cisco Systems\u2019 Talos threat intelligence unit found that, in 2024, <a href=\"https:\/\/www.csoonline.com\/article\/3951165\/volume-of-attacks-on-network-devices-shows-need-to-replace-end-of-life-devices-quickly.html\" target=\"_blank\" rel=\"noopener\">two of the top three vulnerabilities<\/a> threat actors attempted to exploit were in EOL devices no longer receiving patches.<\/p>\n<p>These include network attached storage devices from D-Link (CVE-2024-3273 and CVE-2024-3272) and Check Point Software\u2019s Quantum Security Gateways (CVE-2024-24919). The three CVEs accounted for more than half of network device vulnerabilities in 2024.<\/p>\n<p><a href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250507\" target=\"_blank\" rel=\"noopener\">The FBI points out<\/a> that routers dated 2010 or earlier are likely no longer receiving software updates from the manufacturer and could be easily compromised through known vulnerabilities.<\/p>\n<p>\u201cThe \u2018end of life\u2019 of routers and similar hardware is a huge problem,\u201d said Ullrich, noting that the SANS Institute\u2019s honeypot sensors see a few hundred attacks each day just for one single Netgear vulnerability. \u201cThis vulnerability is about 10 years old, but still heavily probed.\u201d<\/p>\n<p>To mitigate vulnerability issues, he recommends a simple monthly calendar reminder to check if there are any updates for devices, including network routers, firewalls, or related equipment. When purchasing new equipment, users should also attempt to identify its EOL date and write it directly on the device.<\/p>\n<p>\u201cEnd of life devices must be replaced with newer, supported devices as soon as practical,\u201d he emphasized.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The FBI is warning that cybercriminals are exploiting end-of-life (EOL) routers that are no longer being patched by manufacturers. Specifically, the \u201c5Socks\u201d and \u201cAnyproxy\u201d criminal networks are using publicly available exploits and injecting persistent malware to gain entry to obsolete routers from Linksys, Cisco and Cradlepoint. Once compromised, the devices are added to residential proxy [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3121,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3120","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3120"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3120"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3120\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3121"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}