Security News > 2022 > June > SOHO routers used as initial point of compromise in stealth attack campaign
Black Lotus Labs, a threat intelligence team within Lumen Technologies, has recently exposed a new modus operandi for an attack campaign that went undiscovered for nearly two years.
One of its most intriguing characteristics is that it targets small office / home office routers as an initial point of compromise, in addition to being particularly stealth.
At the beginning of this attack campaign, A MIPS file compiled for SOHO routers is pushed to routers by exploiting known vulnerabilities.
Several SOHO routers have also been used as proxy C2 nodes, rendering the investigations more difficult.
Cobalt Strike is a known remote access and attack framework that is generally used by both penetration testers and attackers.
The attacking infrastructure was in particular highly protected: Initial exploits came from a virtual private server hosting benign content, while several compromised routers were used as proxies to reach the C2 server.
News URL
https://www.techrepublic.com/article/soho-routers-compromise-attack/
Related news
- Japan warns of IO-Data zero-day router flaws exploited in attacks (source)
- OpenWrt orders router firmware updates after supply chain attack scare (source)
- Update your OpenWrt router! Security issue made supply chain attack possible (source)
- US sanctions Chinese cybersecurity company for firewall compromise, ransomware attacks (source)