The increased adoption of hybrid work has resulted in a greater reliance on inexpensive routers that facilitate VPN access, particularly for SMBs. The thing with these devices is that they are usually situated outside the conventional security periphery, leading to insufficient monitoring and updates. This creates opportunities for attackers to establish and maintain long-term persistence without detection.
Routers often provide access to multiple devices on a network, making them a valuable target for hackers who want to gain access to sensitive data or other systems on the network. Many of these routers have poor security configurations, including default login credentials and unpatched firmware. Hackers can also use compromised routers as part of a botnet to launch DDoS attacks.
These inexpensive routers are a vulnerable point in a network, which make them an attractive target for attackers that seek to gain access to sensitive information or conduct malicious activities. It’s been seen previously within the last year with ZuoRAT. The multistage remote access Trojan was developed for small office/home office devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.
Fast-forward to 2023. Black Lotus Labs, the threat research team at Lumen, uncovered a complex new malware campaign that had been exploiting compromised routers. The team delved into the latest research and identified a campaign called "Hiatus" that had been targeting business-grade routers since June 2022.
The team discovered that the threat actors behind the Hiatus campaign primarily targeted DrayTek Vigor router models 2960 and 3900, which had reached their end of life. As of mid-February, approximately 4,100 DrayTek models 2960 and 3900 were exposed on the internet, and Hiatus had compromised around 100 of them in Latin America, Europe, and North America with the pharmaceutical and IT services and consulting firm industries among the targeted.
So, what happens when the devices are compromised?
Well, the malware intercepts data transiting the infected router by deploying a binary that captures network packets from the compromised device and sends them to actor-controlled infrastructure. At the same time, the malware deploys a RAT dubbed "HiatusRAT" that displays a feature that the team called unusual. It converts the compromised machine into a bot that can proxy malicious traffic transmitted by the adversary to victims on additional networks.
"The discovery of Hiatus confirms that actors are continuing to pursue router exploitation. These campaigns demonstrate the need to secure the router ecosystem, and routers should be regularly monitored, rebooted and updated, while end-of-life devices should be replaced," said Mark Dehus, Director of Threat Intelligence for Lumen Black Lotus Labs.
Black Lotus Labs null-routed Hiatus C2s across the Lumen global backbone and added the Indicators of Compromise from this campaign into Rapid Threat Defense, the automated threat detection and response capability. The team also continues to monitor for new Hiatus infrastructure, targeting activity, and expanding tactics, techniques and procedures.
For consumers with self-managed routers, follow the advice Dehus provided: regularly monitor, reboot and install security updates and patches. End-of-life devices need to be replaced. Businesses also need to consider comprehensive SASE or similar solutions that utilize VPN-based access to protect data and bolster their security posture.
Echoing what Dehus said, this campaign shows the need to secure the router ecosystem. Anyone with a router who uses the internet is a potential target. Truth be told, they can be used as proxy for another campaign even, if the entity that owns the router does not view themselves as an intelligence target.
Edited by
Alex Passett
