Routers comprometidos are becoming a meeting point where cybercriminals and state actors share a common goal: to hide their malicious activities and make detection difficult. This reality has come to light following the discovery of a botnet of Ubiquiti EdgeRouter routers that had been operating since 2016, until the FBI and other international partners disrupted their operations in January 2024.
Common Interests between States and Cybercriminals
Compromised routers are not only used by cybercriminals to rent them out to each other or to commercial providers of residential proxies, but they are also exploited by state groups like Pawn Storm, who accessed the botnet for their persistent espionage. In parallel, Sandworm, another state actor, used their own botnet of routers to conceal their movements.
The Proxy Infrastructure
The EdgeRouter botnet, which was partially dismantled by the FBI, had been in operation since at least 2016, integrating a combination of bash scripts, Python, and other malicious programs like SSHDoor, which allowed attackers to obtain legitimate login credentials and maintain persistent access. Additionally, the botnet included Raspberry Pi, Linux devices, and Virtual Private Servers (VPS), which were used to mine cryptocurrencies like Monero.
Disruption and Reorganization
Following the FBI intervention, the botnet operator migrated some of the compromised devices to a new infrastructure, allowing for the continuity of their activities. This shows that, despite law enforcement operations, cybercriminals find ways to adapt and maintain their access to these networks.
Threat Overlap
In addition to Pawn Storm, another significant group known as Ngioweb is also present on some of the same routers, using advanced techniques to operate in memory and avoid leaving malicious files on disk. This overlap of threats highlights the growing interest of multiple actors in exploiting compromised routers and servers to hide their activity.
Recommendations to Protect Routers
To mitigate the risk of being part of a compromised network, network administrators are advised to:
Ensure that routers are not exposed to incoming internet connections unless absolutely necessary.
Check for default credentials and change them to secure passwords.
Identify unnecessary open ports or suspicious configurations on the router.
Scan devices for malware to detect anomalous activity.
Cyber warfare has reached domestic and corporate networks through compromised routers, so it is essential to implement security practices to avoid being part of a botnet, whether it is used by a cybercriminal or a state actor.
Source and further information at Trend Micro.