Monday, December 16, 2024
Homecyber securityThreat Actors Renting Out Compromised Routers To Other Criminals

Threat Actors Renting Out Compromised Routers To Other Criminals

Published on

SIEM as a Service

APT actors and cybercriminals both exploit proxy anonymization layers and VPN nodes to mask their malicious activities, while Pawn Storm, a well-known APT group, infiltrated a cybercriminal botnet of compromised Ubiquiti EdgeRouters in 2022 and used it for espionage. 

The FBI disrupted the botnet in January 2024, but Pawn Storm was able to move some bots to a new C&C server and found another threat actor using Ngioweb malware on EdgeRouters for a different botnet. 

They leverage various compromised or commercial botnets for their operations.

- Advertisement - SIEM as a Service

At the same time, cybercriminals often use poorly secured routers for malware installation, highlighting the importance of strong security measures for internet-facing routers. 

 Simultaneous activity found on compromised EdgeRouters

A criminal botnet targeting Linux devices since 2016 has been disrupted by the FBI.

The botnet uses bash/python scripts and SSHDoor malware to steal credentials, exploit default credentials, and establish persistent access on compromised devices. 

Statistics on Monero mining by a pool of VPS servers that are part of the botnet that was partially taken down by the FBI in January 2024

It also infects VPS and routers when installing the SOCKS5 proxy and mining Monero cryptocurrency by targeting EdgeRouters, but it can infect any Linux device.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The malware uses open-source tools like MicroSocks and SSHDoor with minimal modifications, making them vulnerable to brute-force attacks.

SSHDoor is a malicious version of the SSH server created by modifying legitimate OpenSSH source code, which steals login credentials by logging them to a file and allows unauthorized access through hardcoded passwords or SSH keys. 

SSHDoor patch inserted in the auth_password() function from the OpenSSH server

It makes detection difficult because most of its code is legitimate as a variant that accepts hardcoded credentials and logs valid ones to a file on compromised EdgeOS routers.

The password is stored in a variable named bdpassword2, and the log file is usually /tmp/.zZtemp, which can be encrypted. 

Researchers at Trend Micro identified a backdoor targeting EdgeRouters by analyzing SSH server banners and algorithms supported.

Legitimate OpenSSH versions wouldn’t use specific versions or support certain ciphers. 

Compromised EdgeRouter device distribution by model number

Backdoored devices have been found using unofficial OpenSSH versions (6.0p1, 6.6.1p1, 8.2p2) and even official versions with suspicious ciphers (blowfish-cbc for OpenSSH 7.4p1 or later).

They analyzed 177 devices and found 80 likely backdoored with modified sshd binaries (some with default passwords) and additional public keys for persistent access. 

Law enforcement disrupted Pawn Storm’s botnet infrastructure but some compromised EdgeRouters remained due to legal limitations and technical challenges.

Pawn Storm and other compromised devices like the Raspberry Pi exploited these to launch attacks. 

Pawn Storm credential phishing

Phishing campaigns like one targeting Ukrainian ukr.net users leveraged compromised EdgeServers for credential collection and anonymization via SSH tunnels, highlighting the importance of securing internet-facing routers. 

Linux botnets targeting EdgeRouters infected with Ngioweb malware reside only in memory, making them stealthier than previously observed threats. 

The botnet is believed to be commercially available for use as a residential proxy service, which highlights the growing importance of securing internet-facing devices like SOHO routers, which are increasingly targeted by malicious actors.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

The Rise of AI-Generated Professional Headshots

It’s clear that a person’s reputation is increasingly influenced by their online presence, which...

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals,...

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in...

Hackers Exploiting Apache Struts2 Vulnerability to Upload Malicious Payloads

Hackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals,...

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in...

Hackers Exploiting Apache Struts2 Vulnerability to Upload Malicious Payloads

Hackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used...