Black Lotus Labs Uncovers Hiatus Malware Campaign

Black Lotus Labs Uncovers Hiatus Malware Campaign

By Greg Tavarez

The increased adoption of hybrid work has resulted in a greater reliance on inexpensive routers that facilitate VPN access, particularly for SMBs. The thing with these devices is that they are usually situated outside the conventional security periphery, leading to insufficient monitoring and updates. This creates opportunities for attackers to establish and maintain long-term persistence without detection.

Routers often provide access to multiple devices on a network, making them a valuable target for hackers who want to gain access to sensitive data or other systems on the network. Many of these routers have poor security configurations, including default login credentials and unpatched firmware. Hackers can also use compromised routers as part of a botnet to launch DDoS attacks.

These inexpensive routers are a vulnerable point in a network, which make them an attractive target for attackers that seek to gain access to sensitive information or conduct malicious activities. It’s been seen previously within the last year with ZuoRAT. The multistage remote access Trojan was developed for small office/home office devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.

Fast-forward to 2023. Black Lotus Labs, the threat research team at Lumen, uncovered a complex new malware campaign that had been exploiting compromised routers. The team delved into the latest research and identified a campaign called "Hiatus" that had been targeting business-grade routers since June 2022.

The team discovered that the threat actors behind the Hiatus campaign primarily targeted DrayTek Vigor router models 2960 and 3900, which had reached their end of life. As of mid-February, approximately 4,100 DrayTek models 2960 and 3900 were exposed on the internet, and Hiatus had compromised around 100 of them in Latin America, Europe, and North America with the pharmaceutical and IT services and consulting firm industries among the targeted.

So, what happens when the devices are compromised?

Well, the malware intercepts data transiting the infected router by deploying a binary that captures network packets from the compromised device and sends them to actor-controlled infrastructure. At the same time, the malware deploys a RAT dubbed "HiatusRAT" that displays a feature that the team called unusual. It converts the compromised machine into a bot that can proxy malicious traffic transmitted by the adversary to victims on additional networks.

"The discovery of Hiatus confirms that actors are continuing to pursue router exploitation. These campaigns demonstrate the need to secure the router ecosystem, and routers should be regularly monitored, rebooted and updated, while end-of-life devices should be replaced," said Mark Dehus, Director of Threat Intelligence for Lumen Black Lotus Labs.

Black Lotus Labs null-routed Hiatus C2s across the Lumen global backbone and added the Indicators of Compromise from this campaign into Rapid Threat Defense, the automated threat detection and response capability. The team also continues to monitor for new Hiatus infrastructure, targeting activity, and expanding tactics, techniques and procedures.

For consumers with self-managed routers, follow the advice Dehus provided: regularly monitor, reboot and install security updates and patches. End-of-life devices need to be replaced. Businesses also need to consider comprehensive SASE or similar solutions that utilize VPN-based access to protect data and bolster their security posture.

Echoing what Dehus said, this campaign shows the need to secure the router ecosystem. Anyone with a router who uses the internet is a potential target. Truth be told, they can be used as proxy for another campaign even, if the entity that owns the router does not view themselves as an intelligence target.

Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

MSPToday Editor

Related Articles

Mutare Brings Together Cybersecurity Community to Raise Vishing Awareness

By: Greg Tavarez    3/28/2023

Mutare is collaborating with government agencies, business coalitions and private industry in an educational campaign to raise awareness of the risks …

Read More

Only 15% of Organizations Deemed Mature Enough to Defend Against Cybersecurity Risks

By: Greg Tavarez    3/28/2023

Fifteen percent of organizations globally have the maturity level of readiness needed to be resilient against today's modern cybersecurity risks, acco…

Read More

Opti9 Offerings Strengthen Veeam Customers' Security Stacks

By: Greg Tavarez    3/28/2023

Opti9 introduced its standalone offerings for Veeam, which are managed services for Veeam Software and its AI-based ransomware detection and remediati…

Read More

How Businesses are Navigating Migrations and Marketplace Shifts

By: Alex Passett    3/28/2023

Westcon-Comstor recently published a report that explored challenges found amongst shifting subscription and recurring revenue models for businesses.

Read More

Cybersecurity Essentials: BSA Expands Managed Security Solutions

By: Alex Passett    3/24/2023

Bridge Security Advisors (BSA) has announced an addition to its Essential Security Solution (ESS): the Managed Security Solution (MSS) offering.

Read More