Hoplon InfoSec
20 Sep, 2024
Do you want to know How Hackers Hijack Routers? A recent joint cybersecurity advisory from the FBI, Cyber National Mission Force (CNMF), and National Security Agency (NSA) has brought alarming news: hackers associated with the People’s Republic of China (PRC) have compromised thousands of internet-connected devices. This includes routers, firewalls, network-attached storage (NAS) devices, and various Internet of Things (IoT) devices, creating a vast botnet. This blog will explore the details of this advisory, the methods used by the hackers, and the recommended steps for organizations and individuals to protect themselves.
On September 18, 2024, the FBI, CNMF, and NSA released a comprehensive advisory detailing the activities of PRC-linked hackers. The advisory underscores the urgent need for device vendors, owners, and operators to enhance the security of their internet-connected devices. With the botnet’s reach extending across multiple continents, the implications of this threat are significant.
The compromised devices range from small office/home office (SOHO) routers to critical network infrastructure such as firewalls and NAS devices. By targeting these devices, the hackers have created a botnet capable of facilitating various malicious activities, including distributed denial of service (DDoS) attacks and unauthorized traffic routing.
As of June 2024, it was reported that the botnet consisted of over 260,000 devices. Victims span North America, South America, Europe, Africa, Southeast Asia, and Australia, highlighting the global nature of this cyber threat.
The hackers exploited several known vulnerabilities in devices from prominent vendors like Zyxel, Fortinet, and QNAP. By targeting these weaknesses, they were able to gain unauthorized access to the devices.
Once they compromised the devices, the hackers infected them with a customized version of Mirai malware. This notorious malware is designed to enable remote control of infected devices, allowing attackers to leverage them for various malicious purposes.
The botnet is managed by a company based in China called Integrity Technology Group. The advisory revealed that the botnet’s command and control (C2) servers utilize a tiered system of upstream management servers. These servers host a MySQL database containing detailed information about the compromised devices.
The attackers used specific IP addresses registered to China Unicom to access a management application known as “Sparrow.” This application allows them to interact with the botnet and issue commands to the compromised devices.
The advisory provides extensive details about the botnet’s infrastructure. It includes a list of subdomains associated with the C2 servers, as well as the specific vulnerabilities that were exploited to expand the botnet. Understanding this infrastructure is crucial for cybersecurity professionals aiming to counteract these threats.
The advisory emphasizes the importance of being aware of the specific vulnerabilities that were targeted. Device manufacturers and network defenders are encouraged to take note of these weaknesses to fortify their defenses.
In response to this growing threat, the advisory outlines several recommended actions for device owners and network defenders:
1. Disable Unused Services and Ports
Many devices come with unnecessary services and open ports that can be exploited. By disabling these, organizations can significantly reduce their attack surface.
2. Implement Network Segmentation
Network segmentation involves dividing a network into smaller parts to enhance security. This can limit the spread of malware within the network and contain any potential breaches.
3. Monitor Network Traffic
Regularly monitoring network traffic for unusual spikes can help detect botnet activity early. This is essential for timely intervention.
4. Apply Patches and Updates
Keeping devices updated with the latest patches is critical in mitigating vulnerabilities. Organizations should have a routine schedule for checking and applying updates.
5. Use Strong Passwords
Replacing default passwords with strong, unique passwords can prevent unauthorized access to devices. Password management tools can help in generating and storing complex passwords.
This advisory highlights a growing trend of state-sponsored cyberattacks targeting both private and public sectors. The use of compromised IoT devices in creating botnets demonstrates the evolving landscape of cyber threats. Organizations must remain vigilant and proactive in their cybersecurity strategies.
As cyber threats become more sophisticated, robust cybersecurity measures are essential. Organizations should invest in training employees, implementing comprehensive security protocols, and employing advanced monitoring tools.
The joint advisory from the FBI, CNMF, and NSA serves as a critical wake-up call for organizations and individuals alike. The compromised botnet, managed by PRC-linked hackers, poses significant risks to data security and system integrity. Immediate action is required to secure devices and prevent further compromises.
The botnet consists of thousands of compromised IoT devices, routers, and other network equipment, allowing the hackers to conduct malicious activities such as DDoS attacks.
Signs of compromise may include unusual network traffic, device behavior changes, or the inability to access your device normally. Regularly monitoring your devices is crucial.
Immediately disconnect the device from the internet and perform a factory reset. Follow up by checking for updates and security patches before reconnecting.
Yes, the advisory highlights several known vulnerabilities in devices from vendors like Zyxel, Fortinet, and QNAP. Ensure you are familiar with these and have taken steps to secure your devices.
Network segmentation helps limit the spread of malware within an organization’s network, enhancing overall security by isolating different parts of the network.
Baran, G. (2024, September 19). Chinese Hackers Hijacked Routers & IoT Devices to Create Botnet, NSA Warns. Retrieved from Cyber Security News: https://cybersecuritynews.com/chinese-hackers-hijacked-routers/amp/-/
Share this :