The Federal Bureau of Investigation is issuing this announcement to inform individuals and businesses about proxy services taking advantage of end-of-life routers that are susceptible to vulnerabilities.
When a hardware device is end of life, the manufacturer no longer sells the product and is not actively supporting the hardware, which also means they are no longer releasing software updates or security patches for the device.
Routers dated 2010 or earlier likely no longer receive software updates issued by the manufacturer and could be compromised by cyber actors exploiting known vulnerabilities.
End-of-life routers were breached by cyber actors using variants of TheMoon malware botnet. Recently, some routers at the end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware.
This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.
A proxy server is a system or router that provides a gateway between users and the Internet. It is an intermediary between end-users and the web pages they visit online. A proxy is a service that relays users’ Internet traffic while hiding the link between users and their activity.
Cyber actors use proxy services to hide their identities and location. When actors use a proxy service to visit a website to conduct criminal activity, like stealing cryptocurrency or contracting illegal services, the website does not register their real IP address and instead registers the proxy IP.
The malware contacts the command and control (C2) server, and the C2 server responds with instructions, which may include instructing the infected machine to scan for other vulnerable routers to spread the infection and expand the network.
Commonly identified signs of malware infections on routers include overheating devices, problems with connectivity, and changes to settings that the administrator does not recognise.
The FBI recommends that individuals and companies take the following precautions:
- If the router is at end of life, replace the device with an updated model if possible.
- Immediately apply any available security patches and/or firmware updates for your devices.
- Login online to the router settings and disable remote management/remote administration, save the change, and reboot the router.
- Use strong passwords that are unique and random and contain at least 16 but no more than 64 characters. Avoid reusing passwords and disable password hints.
- If you believe there is suspicious activity on any device, apply any necessary security and firmware updates, change your password, and reboot the router.
