FBI Alerts on Hackers Exploiting Outdated Routers to Mask Cyber Activity

The Federal Bureau of Investigation (FBI) has issued a FLASH alert warning organizations and individuals about a surge in cyberattacks targeting end-of-life (EOL) network routers.

The attacks, linked to the 5Socks and Anyproxy cyber criminal services, exploit known vulnerabilities in outdated routers to install malware, create botnets, and sell illicit proxy services, posing a significant threat to network security and critical infrastructure.

Attack Overview and Technical Details

EOL routers have reached the end of their vendor support lifecycle and no longer receive security updates or patches.

This makes them prime targets for cybercriminals, who leverage unpatched vulnerabilities to gain unauthorized access.

According to the FBI, attackers use remote management interfaces, often left enabled by default-to bypass authentication and upload malicious software.

Once compromised, the malware grants the attacker root access, allowing configuration changes and persistent control over the device.

The infected routers are then assimilated into a botnet network of hijacked devices controlled by the threat actors.

These botnets serve multiple purposes, including launching coordinated cyberattacks and providing proxy services that mask the true origin of malicious traffic.

Technical Indicators and Malware Artifacts

The FBI alert highlights several technical indicators of compromise (IOCs), including unique file hashes and filenames associated with the router malware campaign. Notable examples include:

• Hash: 661880986a026eb74397c334596a2762, File: 0_forumdisplay-php_sh_gn-37-sh
• Hash: 62204e3d5de02e40e9f2c51eb991f4e8, File: 1_banana.gif_to_elf_t
• Hash: 9f0f0632b8c37746e739fe61f373f795, File: 2_multiquote_off.gif_to_elf_gn-p_forward-hw-data-to-exploit-server1

The malware communicates with a command and control (C2) server through a two-way handshake protocol, performing regular check-ins (every 60 seconds to five minutes) to maintain persistence and open ports for proxy access.

This enables threat actors to rent out compromised routers as anonymizing proxies, further complicating efforts to trace cybercriminal activity.

Vulnerable Devices and Exploitation Methods

The alert lists several router models known to be vulnerable, including but not limited to:

• Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, WRT320N, E1550, WRT610N, E100, M10, WRT310N1

Attackers exploit these devices by uploading malware through remote administration features, even when password-protected.

In some cases, Chinese cyber actors have used these techniques to establish botnets for concealing intrusions into U.S. critical infrastructure.

Mitigation and Recommendations

The FBI strongly advises organizations and individuals to:

• Identify and replace any EOL routers in their network with supported models that receive regular security updates.
• Disable remote administration features on all network devices.
• Reboot routers after disabling remote management to remove active malware.
• Monitor for unusual network activity and consult the list of IOCs provided by the FBI1.

Detection Challenges

Because the malware operates at the router level, traditional antivirus solutions are ineffective, making detection difficult for end users.

The FBI recommends heightened vigilance and immediate reporting of suspicious activity to local FBI Cyber Squads.

The exploitation of EOL routers by cybercriminal services such as 5Socks and Anyproxy underscores the critical importance of maintaining up-to-date network hardware and security practices.

Organizations are urged to act swiftly to mitigate risks and report any incidents to federal authorities to aid in the collective defense against these evolving threats1.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates