Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks

Catalin Cimpanu, reporting for BleepingComputer: Cyber-espionage groups -- also referred to as advanced persistent threats (APTs) -- are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab. "It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today. "We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants." But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.

Routers are computers...

[ctilsie242]

I'm absolutely not surprised by this. Routers are computers too, with storage (albeit limited), RAM, CPU, and other I/O. If someone pwns a router, there is a lot they can do with it, be it having a staging ground for attacks to dropping packets at random to cause consternation on the target's network, to even MITM-ing internal HTTP web traffic and adding malware payloads.

How to fix? Just as with anything security related, there is no magic bullet. Router makers are going to have to go back to the drawing board when it comes to security to keep their good names, ensuring unauthorized modifications of the router OS are protected against. Companies should start looking at policies like having critical internal machines have OS firewalls in addition to network firewalling and segmenting.