Black Lotus Labs uncovers another new malware that targets compromised routers
Black Lotus Labs of Lumen Technologies (NYSE: LUMN) has identified a new malware campaign, HiatusRAT, targeting business-grade routers since June 2022. The campaign primarily affects DrayTek Vigor models 2960 and 3900, with around 4,100 exposed devices on the internet, and about 100 compromised across Latin America, Europe, and North America. The malware captures and intercepts network data while converting infected devices into traffic proxy bots. Following its discovery, Lumen has taken measures to mitigate the threat, including blocking command and control servers and enhancing their security portfolio.
- Identification of a new malware campaign, HiatusRAT, enhances Lumen's reputation as a leading cybersecurity provider.
- Proactive measures taken by Black Lotus Labs, including blocking of Hiatus C2s, could reduce potential customer vulnerabilities.
- Approximately 100 routers compromised indicates a significant security breach risk for customers.
- Focus on outdated DrayTek router models suggests a broader vulnerability issue within the client base.
HiatusRAT has been targeting business-grade routers to covertly spy on victims since
– a novel malware called ZuoRAT – which targeted SOHO (small office/home office) routers.
Some of the industries targeted in the Hiatus campaign include pharmaceuticals, and IT services and consulting firms. Researchers suspect the IT firms were chosen to give the threat actor downstream access to the victims' customers' environments.
Read the full research report: New HiatusRAT router malware covertly spies on victims
"The rise of hybrid work has led to increased dependency on relatively low-cost routers that enable VPN access – especially for many small- and medium-sized businesses." said
HiatusRAT research findings:
- The threat actors behind the Hiatus campaign primarily target DrayTek Vigor router models 2960 and 3900 that are at their end of life.
- As of
mid-February 2023 , approximately 4,100 DrayTek models 2960 and 3900 were exposed on the internet, and Hiatus had compromised approximately 100 of them inLatin America ,Europe andNorth America . - Upon infection, the malware intercepts data transiting the infected router. It does this by deploying a binary that captures network packets from the compromised device and sends them to actor-controlled infrastructure.
- At the same time, the malware deploys a Remote Access Trojan (RAT) dubbed "HiatusRAT" which displays a highly unusual feature: it converts the compromised machine into a bot that can proxy malicious traffic transmitted by the adversary to victims on additional networks.
Dehus continued, "The discovery of Hiatus confirms that actors are continuing to pursue router exploitation. These campaigns demonstrate the need to secure the router ecosystem, and routers should be regularly monitored, rebooted, and updated, while end-of-life devices should be replaced."
Black Lotus Labs' response:
Black Lotus Labs has null-routed Hiatus C2s across the Lumen global backbone and added the Indicators of Compromise (IoCs) from this campaign into Rapid Threat Defense® – the automated threat detection and response capability that fuels Lumen's security product portfolio by blocking threats before they reach the customer's network.- The team will continue to monitor for new Hiatus infrastructure, targeting activity, and expanding tactics, techniques and procedures (TTPs), and share this information with the security research community.
Recommendations:
- Consumers with self-managed routers should follow best practices and regularly monitor, reboot, and install security updates and patches. End-of-life devices should be replaced.
- Businesses should consider comprehensive Secure Access Service Edge (SASE) or similar solutions that utilize VPN-based access to protect data and bolster their security posture.
- Users should only use secure email services that help protect data in transit.
Additional Resources:
- Read the full HiatusRAT blog titled: New HiatusRAT router malware covertly spies on victims.
See Black Lotus Labs' ZuoRAT research: ZuoRAT hijacks SOHO routers to silently stalk networks.- For more
Black Lotus Labs research, visit the blog archive. - See how
Black Lotus Labs sees more, so we can stop more. - Learn how to simplify network access, security and management with SASE solutions on the Lumen Platform.
About
Lumen is guided by our belief that humanity is at its best when technology advances the way we live and work. With approximately 400,000 route fiber miles and serving customers in more than 60 countries, we deliver the fastest, most secure platform for applications and data to help businesses, government and communities deliver amazing experiences. Learn more about the Lumen network, edge cloud, security, communication and collaboration solutions and our purpose to further human progress through technology at news.lumen.com/home, LinkedIn: /lumentechnologies,
View original content to download multimedia:https://www.prnewswire.com/news-releases/black-lotus-labs-uncovers-another-new-malware-that-targets-compromised-routers-301762772.html
SOURCE
FAQ
What is the HiatusRAT malware discovered by Lumen Technologies?
How does HiatusRAT affect DrayTek Vigor routers?
What steps has Lumen Technologies taken against HiatusRAT?
When did the HiatusRAT campaign start?