FBI Warns of Criminals Targeting End-of-Life Routers in Cyberattacks

FBI has issued a cybersecurity alert calling attention to a growing threat from criminals who exploit end-of-life (EOL) routers.

The alert underscores the vulnerabilities inherent in devices no longer supported by manufacturers, leaving hackers with open doors into old routers.

Exploiting Outdated Infrastructure

Routers are the guardians of the home’s infrastructure, but they are often relegated to a corner to gather dust for years. Newer routers can upgrade themselves with the latest security releases, but older ones can’t. And since people rarely remember that routers also need updates to keep them secure, these devices become prime targets for hackers.

This problem is compounded by the fact that after years of neglect, in which router diligently do their job, they reach end of life. This means manufacturers no longer support them. So, even if users want to secure their devices by applying the latest update, they can’t.

According to the FBI, threat actors use malware such as "5Socks" and "Anyproxy" to target routers that are past their support lifecycle, exploiting known vulnerabilities through remote management software that comes pre-installed on these devices. These vulnerabilities let attackers install malware, establish botnets, and sell proxy services to other criminal enterprises.

Routers identified explicitly as vulnerable in the FBI notification include models from Linksys such as E1200, E2500, E1000, E4200, E1500, E300, E3200, WRT320N, E1550, WRT610N, E100, M10, and WRT310N.

Tactics and persistence

Once a router is compromised, attackers gain persistent root access, which lets them keep control of the devices. The malware often communicates with command and control servers, performs check-ins every 60 seconds to five minutes, and maintains continuous availability for malicious use as proxies.

Real-world impacts

For instance, attackers use these routers to intercept personal information such as login credentials, financial data, or confidential communications. Additionally, compromised routers can be used to launch Distributed Denial of Service (DDoS) attacks against other networks.

Indicators of Compromise (IoCs)

The FBI released Indicators of Compromise (IoCs), including specific file hashes associated with the malware:

• 661880986a026eb74397c334596a2762
• 62204e3d5de02e40e9f2c51eb991f4e8
• 22f1f4c46ac53366582e8c023dab4771

These hashes correspond to specific exploit scripts and files used in recent campaigns.

Recommended Security Measures

The FBI strongly recommends that users identify and immediately replace vulnerable EOL routers with current, supported models.

If immediate replacement isn't feasible, the following mitigations are critical:

• Disable Remote Administration, which prevents external unauthorized access.
• Reboot the device: Regular reboots can disrupt persistence measures used by hackers.
• Reporting and community vigilance: The FBI urges network administrators and end-users to report suspicious activities to their local FBI field offices.