Threat Actors using advanced malware to backdoor business-grade routers.
??Frederick Wakulyaka
Business Analyst Instructor| GRC Analyst| Consultant and trainer in AI| Information Security Analyst | Cybersecurity Master's, Security Controls| Content Creator
Researchers have discovered advanced that's turning business-grade routers into attacker controlled listening posts that can sniff email and steal files in an ongoing campaign hitting North and South America and Europe.
Apart from capturing IMAP,SMTP,and POP email it also backdoors routers with a remote access Trojan that enables potential attackers to download files and run commands of their choice.The backdoor also enables attackers to fuunel data, from other servers through the router, rendering the device into a proxy covertly deployed to conceal the true origin of malicious activity.
This campaign dubbed Hiatus has been running since last July. Its main trgets so far, have been end of life DrayTek Vigour models 2960 and 3900 running on i386 architecture. These high end bandwidth routers support virtual private network connections for hundreds of remote workers.
Roughly a hundred routers have been infected, researchers suspect the unknown threat actor behind Hiatus as the malware is called is deliberately a small footprint to maintain the stealthy nature of the campaign.
Its a good to remember that routers are Internet connected computers, and as such they require regular attention, like changing default passwords updates.
For businesses it may make sense to use dedicated router monitoring.