Black Lotus Labs Uncovers Hiatus Malware Campaign

Black Lotus Labs Uncovers Hiatus Malware Campaign

By Greg Tavarez

The increased adoption of hybrid work has resulted in a greater reliance on inexpensive routers that facilitate VPN access, particularly for SMBs. The thing with these devices is that they are usually situated outside the conventional security periphery, leading to insufficient monitoring and updates. This creates opportunities for attackers to establish and maintain long-term persistence without detection.

Routers often provide access to multiple devices on a network, making them a valuable target for hackers who want to gain access to sensitive data or other systems on the network. Many of these routers have poor security configurations, including default login credentials and unpatched firmware. Hackers can also use compromised routers as part of a botnet to launch DDoS attacks.

These inexpensive routers are a vulnerable point in a network, which make them an attractive target for attackers that seek to gain access to sensitive information or conduct malicious activities. It’s been seen previously within the last year with ZuoRAT. The multistage remote access Trojan was developed for small office/home office devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.

Fast-forward to 2023. Black Lotus Labs, the threat research team at Lumen, uncovered a complex new malware campaign that had been exploiting compromised routers. The team delved into the latest research and identified a campaign called "Hiatus" that had been targeting business-grade routers since June 2022.

The team discovered that the threat actors behind the Hiatus campaign primarily targeted DrayTek Vigor router models 2960 and 3900, which had reached their end of life. As of mid-February, approximately 4,100 DrayTek models 2960 and 3900 were exposed on the internet, and Hiatus had compromised around 100 of them in Latin America, Europe, and North America with the pharmaceutical and IT services and consulting firm industries among the targeted.

So, what happens when the devices are compromised?

Well, the malware intercepts data transiting the infected router by deploying a binary that captures network packets from the compromised device and sends them to actor-controlled infrastructure. At the same time, the malware deploys a RAT dubbed "HiatusRAT" that displays a feature that the team called unusual. It converts the compromised machine into a bot that can proxy malicious traffic transmitted by the adversary to victims on additional networks.

"The discovery of Hiatus confirms that actors are continuing to pursue router exploitation. These campaigns demonstrate the need to secure the router ecosystem, and routers should be regularly monitored, rebooted and updated, while end-of-life devices should be replaced," said Mark Dehus, Director of Threat Intelligence for Lumen Black Lotus Labs.

Black Lotus Labs null-routed Hiatus C2s across the Lumen global backbone and added the Indicators of Compromise from this campaign into Rapid Threat Defense, the automated threat detection and response capability. The team also continues to monitor for new Hiatus infrastructure, targeting activity, and expanding tactics, techniques and procedures.

For consumers with self-managed routers, follow the advice Dehus provided: regularly monitor, reboot and install security updates and patches. End-of-life devices need to be replaced. Businesses also need to consider comprehensive SASE or similar solutions that utilize VPN-based access to protect data and bolster their security posture.

Echoing what Dehus said, this campaign shows the need to secure the router ecosystem. Anyone with a router who uses the internet is a potential target. Truth be told, they can be used as proxy for another campaign even, if the entity that owns the router does not view themselves as an intelligence target.

Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

MSPToday Editor

Related Articles

LogMeIn Rescue, to the Rescue: Forrester Studies GoTo's Support Capabilities

By: Alex Passett    9/22/2023

Over a period of three years, a Forrester Total Economic Impact (TEI) study examined the business and financial benefits of LogMeIn Rescue, a flagship…

Read More

Canadian Managed IT Services Gear Up for Cybersecurity Awareness Month

By: Contributing Writer    9/22/2023

October, prominently known as Cybersecurity Awareness Month, is an annual observance and an intensified rally for Canada's premier IT service provider…

Read More

ITEXPO Exhibitor RingLogix Looks to TeamMate to Open New Possibilities for MSPs

By: Greg Tavarez    9/21/2023

The RingLogix and TeamMate collaboration enables MSPs to get the most out of Microsoft Teams as a collaboration solution.

Read More

Acronis Introduces Advanced Automation for MSPs

By: Stefania Viscusi    9/21/2023

Acronis Advanced Automation addresses a common challenge faced by MSPs, the increasing complexities businesses face with so many different initiatives…

Read More

Comprehensive Cybersecurity Solutions: Rackspace Taps Palo Alto Networks

By: Alex Passett    9/20/2023

Strengthening organizations' abilities to stay ahead of progressively evolving cyber threats and attackers is key. That's why Rackspace Technology has…

Read More