Ethical Hacking News
The FBI warns that end-of-life routers are being hijacked for cybercrime proxy networks. Threat actors are exploiting vulnerabilities in these outdated devices to create malicious traffic routes and conduct nefarious activities.
The FBI is warning about a growing threat where malicious actors are exploiting end-of-life (EoL) routers to create cybercrime proxy networks.EoL routers, which no longer receive security updates, can be compromised using publicly available exploits and are vulnerable to external attacks that inject persistent malware.Infected routers are added to residential proxy botnets that route malicious traffic for nefarious activities or cyberattacks.The FBI has identified several EoL Linksys and Cisco models targeted by Chinese state-sponsored actors, who used known vulnerabilities to conduct covert espionage campaigns.The infected routers often run a variant of the "TheMoon" malware, which enables threat actors to configure them as proxies and connect to command and control (C2) servers.Common signs of compromise include network connectivity disruptions, overheating, performance degradation, configuration changes, and unusual network traffic.The best course of action is to replace EoL routers with newer models or apply the latest firmware update, change admin credentials, and turn off remote administration panels.
The Federal Bureau of Investigation (FBI) has issued a flash advisory warning the public of a growing threat in which malicious actors are exploiting end-of-life (EoL) routers to create cybercrime proxy networks. This alarming development highlights the vulnerability of these outdated devices, which have been compromised by threat actors using publicly available exploits.
These devices, which were once released many years ago and no longer receive security updates from their vendors, are now vulnerable to external attacks that can inject persistent malware. Once infected, they are added to residential proxy botnets that route malicious traffic, often used by cybercriminals for nefarious activities or cyberattacks.
According to the FBI Flash advisory, the 5Socks and Anyproxy networks are selling access to compromised routers as proxies for customers to purchase and use. This allows threat actors to obfuscate their identity or location, further complicating efforts to track down and apprehend the perpetrators of these malicious activities.
The advisory specifically identifies several EoL Linksys and Cisco models that have been targeted by Chinese state-sponsored actors, who have exploited known (n-day) vulnerabilities in these routers to conduct covert espionage campaigns. This includes operations targeting critical U.S. infrastructure.
In a related bulletin, the FBI confirms that many of these infected routers are also infected with a variant of the "TheMoon" malware, which enables threat actors to configure them as proxies. The advisory states that end-of-life routers were breached by cyber actors using variants of TheMoon malware botnet. Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.
The infected routers then connect to command and control (C2) servers to receive commands to execute, such as scanning for and compromising vulnerable devices on the Internet. The proxies are used to evade detection during cryptocurrency theft, cybercrime-for-hire activities, and other illegal operations.
Common signs of compromise by a botnet include network connectivity disruptions, overheating, performance degradation, configuration changes, the appearance of rogue admin users, and unusual network traffic. To mitigate this risk, the best course of action is to replace end-of-life routers with newer, actively supported models. If that is impossible, it is recommended to apply the latest firmware update for your model, sourced from the vendor's official download portal, change the default admin account credentials, and turn off remote administration panels.
The FBI has also shared indicators of compromise associated with the malware installed on EoL devices.
Related Information:
https://www.ethicalhackingnews.com/articles/FBI-Warns-of-Exploitable-End-of-Life-Routers-Hijacked-for-Cybercrime-Proxy-Networks-ehn.shtml
https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hacked-for-cybercrime-proxy-networks/
https://www.waterisac.org/portal/tlpclear-fbi-cyber-criminal-services-target-end-life-routers-launch-attacks-and-hide-their
https://www.ic3.gov/PSA/2025/PSA250507
https://blog.lumen.com/the-darkside-of-themoon/
Published: Thu May 8 18:57:27 2025 by llama3.2 3B Q4_K_M
