Black Lotus Labs Uncovers Hiatus Malware Campaign

Black Lotus Labs Uncovers Hiatus Malware Campaign

By Greg Tavarez

The increased adoption of hybrid work has resulted in a greater reliance on inexpensive routers that facilitate VPN access, particularly for SMBs. The thing with these devices is that they are usually situated outside the conventional security periphery, leading to insufficient monitoring and updates. This creates opportunities for attackers to establish and maintain long-term persistence without detection.

Routers often provide access to multiple devices on a network, making them a valuable target for hackers who want to gain access to sensitive data or other systems on the network. Many of these routers have poor security configurations, including default login credentials and unpatched firmware. Hackers can also use compromised routers as part of a botnet to launch DDoS attacks.

These inexpensive routers are a vulnerable point in a network, which make them an attractive target for attackers that seek to gain access to sensitive information or conduct malicious activities. It’s been seen previously within the last year with ZuoRAT. The multistage remote access Trojan was developed for small office/home office devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.

Fast-forward to 2023. Black Lotus Labs, the threat research team at Lumen, uncovered a complex new malware campaign that had been exploiting compromised routers. The team delved into the latest research and identified a campaign called "Hiatus" that had been targeting business-grade routers since June 2022.

The team discovered that the threat actors behind the Hiatus campaign primarily targeted DrayTek Vigor router models 2960 and 3900, which had reached their end of life. As of mid-February, approximately 4,100 DrayTek models 2960 and 3900 were exposed on the internet, and Hiatus had compromised around 100 of them in Latin America, Europe, and North America with the pharmaceutical and IT services and consulting firm industries among the targeted.

So, what happens when the devices are compromised?

Well, the malware intercepts data transiting the infected router by deploying a binary that captures network packets from the compromised device and sends them to actor-controlled infrastructure. At the same time, the malware deploys a RAT dubbed "HiatusRAT" that displays a feature that the team called unusual. It converts the compromised machine into a bot that can proxy malicious traffic transmitted by the adversary to victims on additional networks.

"The discovery of Hiatus confirms that actors are continuing to pursue router exploitation. These campaigns demonstrate the need to secure the router ecosystem, and routers should be regularly monitored, rebooted and updated, while end-of-life devices should be replaced," said Mark Dehus, Director of Threat Intelligence for Lumen Black Lotus Labs.

Black Lotus Labs null-routed Hiatus C2s across the Lumen global backbone and added the Indicators of Compromise from this campaign into Rapid Threat Defense, the automated threat detection and response capability. The team also continues to monitor for new Hiatus infrastructure, targeting activity, and expanding tactics, techniques and procedures.

For consumers with self-managed routers, follow the advice Dehus provided: regularly monitor, reboot and install security updates and patches. End-of-life devices need to be replaced. Businesses also need to consider comprehensive SASE or similar solutions that utilize VPN-based access to protect data and bolster their security posture.

Echoing what Dehus said, this campaign shows the need to secure the router ecosystem. Anyone with a router who uses the internet is a potential target. Truth be told, they can be used as proxy for another campaign even, if the entity that owns the router does not view themselves as an intelligence target.

Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

MSPToday Editor

Related Articles

Industrial Cybersecurity Transformed: Secureworks Launches Integrated MDR Solution for OT and IT

By: Greg Tavarez    6/8/2023

Secureworks announced two new offerings to unify the way industrial organizations prevent, detect and respond to threats across the OT and IT landscap…

Read More

K8 Notifier: A New Twist on Cloud Cybersecurity

By: Matthew Vulpis    6/8/2023

K8 Notifer can create a suite of alerts for MSP to detect suspicious activity in the configuration and patterns of their and their customers cloud ser…

Read More

Impossible Cloud Paves Way with New Program in the Web3 Era

By: Greg Tavarez    6/8/2023

Impossible Cloud's Partner Program allows partners and resellers to seamlessly implement, demo and integrate its efficient, performance-driven solutio…

Read More

CrowdStrike Empowers Next-Gen Cybersecurity with Generative AI

By: Stefania Viscusi    6/8/2023

Security company CrowdStrike unveiled Charlotte AI, a new generative AI cybersecurity that will help to democratize security and empower users of the …

Read More

Improving Cyber Response with Continuous Vulnerability Hunting Across the Entire IT Ecosystem

By: Erik Linask    6/6/2023

Sevco Security has announced new capabilities for vulnerability hunting that will enable organizations to adopt full-scale vulnerability hunting progr…

Read More