Thousands of Consumer Routers Compromised by Russian Military Hacking

Recent reports indicate that the Russian military has resumed large-scale hacking campaigns targeting home and small office routers, unknowingly redirecting users to malicious sites that collect passwords and credential tokens for espionage purposes. This alarming activity was highlighted by researchers from Lumen Technologies’ Black Lotus Labs on Tuesday.

Estimates suggest that between 18,000 and 40,000 consumer routers, primarily from MikroTik and TP-Link manufacturers, have been compromised across approximately 120 countries. These devices have been integrated into the infrastructure of APT28, a sophisticated threat group linked to Russia’s military intelligence agency, the GRU. APT28, which has been active for at least 20 years, is known for executing numerous significant attacks against government entities globally and has been identified by several names, including Pawn Storm, Sofacy Group, and Tsar Team.

Advanced Tactics and Techniques

A small cluster of compromised routers served as proxies, allowing APT28 to access a wider array of routers belonging to foreign ministries and law enforcement bodies. This strategic maneuver enabled the attackers to alter DNS settings for selected websites, including key domains associated with Microsoft’s 365 services, thereby facilitating their surveillance objectives.

The Black Lotus researchers noted that APT28 remains adept at fusing cutting-edge technologies, such as the large language model ‘LAMEHUG,’ with long-established attack methods. Their ongoing campaigns demonstrate both technological prowess and a persistence in utilizing conventional tactics, even after being publicly exposed, thus posing a continuous threat to organizations worldwide.

The attackers leveraged vulnerabilities inherent in older router models that had not received security patches. By modifying DNS settings for targeted domains and employing the Dynamic Host Configuration Protocol to propagate these settings to connected workstations, APT28 could manipulate user traffic. This allowed traffic to be rerouted through nefarious servers before reaching legitimate destinations.

In terms of the tactics and techniques employed, this attack exemplifies several phases outlined in the MITRE ATT&CK framework. Initial access may have been achieved through the exploitation of unpatched devices, while persistence was likely established through the ongoing manipulation of DNS settings. Additionally, privilege escalation techniques could have enabled the attackers to broaden their access to sensitive environments, reinforcing the need for vigilance in network security practices.

As these developments unfold, the implications for business owners are significant. Organizations must remain proactive in their cybersecurity measures, particularly concerning the maintenance of network hardware and awareness of potential vulnerabilities. The growing sophistication of cyber threats necessitates a robust approach to safeguarding sensitive information and interrupting adversarial attempts at espionage.

Source

Related Posts

JPMorgan Chase Hacked: Data of 465,000 Prepaid Card Users Compromised

Dec 5, 2013

JPMorgan Chase, one of the largest banks in the world, has reported a cyber attack affecting approximately 465,000 holders of its prepaid cash cards. The breach occurred in July on the bank’s website, www.ucard.chase.com, compromising about 2% of the 25 million UCard users. The bank has assured customers that debit, credit, and prepaid Liquid card accounts remain secure. They alerted law enforcement in September, though details on the attack method remain undisclosed. JPMorgan spokesman Michael Fusco stated that the investigation has identified affected accounts, and cardholders have been notified. Importantly, no funds were accessed in user accounts, which is why the company has not advised customers to change their card information.

Understanding Security Vulnerabilities of FTP and the Advantages of Managed File Transfer

Dec 10, 2013

File transfer services like FTP and HTTP have been widely used for business file exchanges. Essentially, file transfer involves using a protocol to send a stream of bits—comprised of file name, size, timestamp, and other metadata—from one host to another over a TCP-based network, such as the Internet. However, this method is not without its risks. FTP, in particular, is not inherently secure and is prone to various vulnerabilities. Notably, it lacks encryption for data transmission, leaving it susceptible to attacks. In many cases, businesses simply aim to transfer files between two endpoints without considering the security implications, potentially exposing sensitive data to numerous threats, including FTP Bounce Attacks.

Chinese Hackers Target European Diplomats in Recent G20 Cyber Espionage Incident

Dec 13, 2013

A report from security firm FireEye reveals that Chinese hackers conducted cyber espionage against European Ministries of Foreign Affairs during the recent G20 meetings. Researcher Nart Villeneuve highlighted that the hackers accessed the networks of five European foreign ministries by sending emails embedded with malware files, allowing them to steal credentials and sensitive information. The operation, termed “Operation Ke3chang,” is believed to have been active since at least 2010. The attackers used malware disguised as documents related to potential military interventions in Syria (US_military_options_in_Syria.pdf.zip), which, when downloaded and opened by victims, installed a backdoor on their systems. Additionally, they exploited a Java zero-day vulnerability (CVE-2012-4681) and other established exploits.