Black Lotus Labs uncovers hacktivist campaign that used a misconfigured router to spread an anti-government manifesto

Rhea-AI Summary

Black Lotus Labs, part of Lumen Technologies (NYSE: LUMN), identified a hacktivist campaign exploiting misconfigured routers to spread an anti-government manifesto. This incident, revealed on June 4, 2021, involved over 18,000 devices globally at risk due to vulnerabilities. The attackers compromised routers starting May 13, 2021, altering configurations and replacing them with propaganda. Despite past recommendations for configuration security, the risk remains significant as Black Lotus Labs continues to monitor the threat.

Positive

• Black Lotus Labs promptly null-routed the malicious IPs across Lumen's global network.
• Provided recovery recommendations for affected organizations.

Negative

• Over 18,000 devices remain exposed to potential attacks.
• Misconfiguration vulnerabilities persist despite prior recommendations since 2017.

DENVER, June 4, 2021 /PRNewswire/ -- Black Lotus Labs®, the threat intelligence arm of Lumen Technologies (NYSE: LUMN), recently uncovered a hacktivist campaign that leveraged misconfigured routers and switches to distribute an anti-government manifesto.

More than 18,000 devices worldwide are still exposed to the potential abuse.

Details of the research findings are contained in the latest Black Lotus Labs blog.

Overview of the Attack

• On and around May 13, 2021, the attacker gained access to the victims' routers and switches due to a misconfiguration that exposed control of the devices to the internet.
• This external exposure allowed the threat actor to remotely alter the victims' configuration files, which rendered the routers unusable.
• Victims who attempted to fix the compromised file found that it had been replaced with approximately six pages of an anti-government manifesto.

Additional Key Findings

• Abusing the misconfigured router to gain access to the victims' configurations is not a new tactic, and recommendations for properly configuration the routers and switches were published in 2017.
• Despite this, more than 18,000 devices around the world are still exposed,¹ and Black Lotus Labs has identified more than 800 unique scanners looking for the misconfigured equipment– and potential victims.

The Black Lotus Labs Response and Recommendations
Black Lotus Labs null-routed the malicious IP address across the Lumen global network and added it to a block list for its security customers.

The company also offered recommendations for organizations that had already been attacked, and those that have misconfigured routers. "Victims can recover from this attack by rebuilding their router configuration, and either disabling or limiting the ability to manage the device remotely," said Mike Benjamin, Lumen vice president of product security and head of Black Lotus Labs. "In the meantime, we will continue to look for attackers abusing this protocol."

More information about Black Lotus Labs can be found at www.lumen.com/blacklotuslabs.

Other Recent Threat Intelligence Blogs from Black Lotus Labs

• Tracking UDP Reflectors for a Safer Internet
• Newly Discovered Watering Hole Attack Targets Ukrainian, Canadian Organizations
• The Reemergence of Ransom-Based Distributed Denial of Service (RDDoS) Attacks

About Lumen Technologies:
Lumen is guided by our belief that humanity is at its best when technology advances the way we live and work. With approximately 450,000 route fiber miles and serving customers in more than 60 countries, we deliver the fastest, most secure platform for applications and data to help businesses, government and communities deliver amazing experiences. Learn more about the Lumen network, edge cloud, security, communication and collaboration solutions and our purpose to further human progress through technology at news.lumen.com/home, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies and YouTube: /lumentechnologies. Lumen and Lumen Technologies are registered trademarks of Lumen Technologies LLC in the United States. Lumen Technologies LLC is a wholly owned affiliate of Lumen Technologies Inc. 

¹ According to ShadowServer, a foundation that scans the internet for publicly accessible devices that are running this vulnerability. https://scan.shadowserver.org/smartinstall/ 

Services not available everywhere. Business customers only. Lumen may change, cancel or substitute products and services, or vary them by service area at its sole discretion without notice. ©2020 Lumen Technologies. All Rights Reserved.

View original content to download multimedia:http://www.prnewswire.com/news-releases/black-lotus-labs-uncovers-hacktivist-campaign-that-used-a-misconfigured-router-to-spread-an-anti-government-manifesto-301306120.html

SOURCE Lumen Black Lotus Labs

FAQ

What did Black Lotus Labs discover on June 4, 2021, regarding Lumen (LUMN)?

On June 4, 2021, Black Lotus Labs uncovered a hacktivist campaign that exploited misconfigured routers to distribute an anti-government manifesto.

How many devices are still exposed to the vulnerabilities identified by Black Lotus Labs?

More than 18,000 devices worldwide are still exposed to potential abuse due to misconfigured routers.

When did the hacktivist campaign that affected Lumen (LUMN) devices begin?

The attack began on and around May 13, 2021.

What actions did Black Lotus Labs take in response to the hacktivist campaign?

Black Lotus Labs null-routed the malicious IP address and added it to a block list for its security customers.

What can organizations do to recover from the router configuration attack?

Organizations can rebuild their router configurations and limit remote management capabilities to recover from the attack.