Thursday, April 10, 2025
Homecyber securityThreat Actors Renting Out Compromised Routers To Other Criminals

Threat Actors Renting Out Compromised Routers To Other Criminals

Published on

SIEM as a Service

Follow Us on Google News

APT actors and cybercriminals both exploit proxy anonymization layers and VPN nodes to mask their malicious activities, while Pawn Storm, a well-known APT group, infiltrated a cybercriminal botnet of compromised Ubiquiti EdgeRouters in 2022 and used it for espionage. 

The FBI disrupted the botnet in January 2024, but Pawn Storm was able to move some bots to a new C&C server and found another threat actor using Ngioweb malware on EdgeRouters for a different botnet. 

They leverage various compromised or commercial botnets for their operations.

- Advertisement - Google News

At the same time, cybercriminals often use poorly secured routers for malware installation, highlighting the importance of strong security measures for internet-facing routers. 

 Simultaneous activity found on compromised EdgeRouters

A criminal botnet targeting Linux devices since 2016 has been disrupted by the FBI.

The botnet uses bash/python scripts and SSHDoor malware to steal credentials, exploit default credentials, and establish persistent access on compromised devices. 

Statistics on Monero mining by a pool of VPS servers that are part of the botnet that was partially taken down by the FBI in January 2024

It also infects VPS and routers when installing the SOCKS5 proxy and mining Monero cryptocurrency by targeting EdgeRouters, but it can infect any Linux device.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The malware uses open-source tools like MicroSocks and SSHDoor with minimal modifications, making them vulnerable to brute-force attacks.

SSHDoor is a malicious version of the SSH server created by modifying legitimate OpenSSH source code, which steals login credentials by logging them to a file and allows unauthorized access through hardcoded passwords or SSH keys. 

SSHDoor patch inserted in the auth_password() function from the OpenSSH server

It makes detection difficult because most of its code is legitimate as a variant that accepts hardcoded credentials and logs valid ones to a file on compromised EdgeOS routers.

The password is stored in a variable named bdpassword2, and the log file is usually /tmp/.zZtemp, which can be encrypted. 

Researchers at Trend Micro identified a backdoor targeting EdgeRouters by analyzing SSH server banners and algorithms supported.

Legitimate OpenSSH versions wouldn’t use specific versions or support certain ciphers. 

Compromised EdgeRouter device distribution by model number

Backdoored devices have been found using unofficial OpenSSH versions (6.0p1, 6.6.1p1, 8.2p2) and even official versions with suspicious ciphers (blowfish-cbc for OpenSSH 7.4p1 or later).

They analyzed 177 devices and found 80 likely backdoored with modified sshd binaries (some with default passwords) and additional public keys for persistent access. 

Law enforcement disrupted Pawn Storm’s botnet infrastructure but some compromised EdgeRouters remained due to legal limitations and technical challenges.

Pawn Storm and other compromised devices like the Raspberry Pi exploited these to launch attacks. 

Pawn Storm credential phishing

Phishing campaigns like one targeting Ukrainian ukr.net users leveraged compromised EdgeServers for credential collection and anonymization via SSH tunnels, highlighting the importance of securing internet-facing routers. 

Linux botnets targeting EdgeRouters infected with Ngioweb malware reside only in memory, making them stealthier than previously observed threats. 

The botnet is believed to be commercially available for use as a residential proxy service, which highlights the growing importance of securing internet-facing devices like SOHO routers, which are increasingly targeted by malicious actors.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Malicious ‘mParivahan’ App Circulates on WhatsApp, Skimming Sensitive Mobile Data

A new variant of the fake NextGen mParivahan app has emerged, exploiting the trust...

Dell Alerts Users to Critical PowerScale OneFS Flaws Enabling Account Takeover

Dell Technologies has issued an urgent security advisory to its users, warning of several...

SonicWall Patches Multiple Vulnerabilities in NetExtender Windows Client

SonicWall has issued a critical alert concerning multiple vulnerabilities discovered in its NetExtender Windows...

Cable: Powerful Post-Exploitation Toolkit for Active Directory Attacks

Cybersecurity researchers are raising alarms about Cable, a potent open-source post-exploitation toolkit designed to exploit...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Malicious ‘mParivahan’ App Circulates on WhatsApp, Skimming Sensitive Mobile Data

A new variant of the fake NextGen mParivahan app has emerged, exploiting the trust...

Dell Alerts Users to Critical PowerScale OneFS Flaws Enabling Account Takeover

Dell Technologies has issued an urgent security advisory to its users, warning of several...

SonicWall Patches Multiple Vulnerabilities in NetExtender Windows Client

SonicWall has issued a critical alert concerning multiple vulnerabilities discovered in its NetExtender Windows...