Facepalm: As the US Cybersecurity and Infrastructure Security Agency (CISA) recently warned, exploitation of networking devices such as SOHO routers can provide threat actors with a "global" attack infrastructure or unrestricted access to organizational networks. The fact that SOHO routers aren't updated as often as other network appliances can add insult to injury.
Malicious firmware releases designed to compromise internet routers are nothing new at this point, and things are only getting worse. A new botnet discovered by Black Lotus Labs – a threat research team from US telecommunications company Lumen Technologies – was so good at doing its job, it went undetected for two years at least.
The botnet, which Black Lotus researchers dubbed "AVrecon," got a single reference in May 2021 but it has been operating undetected since then. Black Lotus performed an extensive analysis to document the malware functionality, discovering that the botnet had already infiltrated more than 70,000 Linux-based routers with a "persistent hold" on more than 40,000 IP addresses in more than 20 countries.
AVrecon is written in C and targets Linux-based Arm devices, with a specific focus on Small Office/Home Office (SOHO) routers. The targeted devices do not usually offer "standard endpoint" security solutions, Black Lotus said, so the malware can keep exploiting known vulnerabilities for longer periods. SOHO devices are less likely to get patches against common CVE flaws, the researchers remarked, thus providing a way to retain control and steadily grow the malicious network.
AVrecon operators maintained a more temperate approach to their nefarious activities, Black Lotus said, providing users very few clues about the ongoing infections and successfully staying under the radar for two years. Instead of bringing major disruption to standard network activities, the AVrecon malware – which is technically a remote access trojan (RAT) – was mostly designed for fraud campaigns by using the infected systems to click on Facebook and Google advertising.
Once a router got infected, AVrecon sent info about the compromised device to an embedded, "first-stage" command&control (C2) server. The device was then instructed to connect to another group of C2 servers, and Black Lotus researchers found 15 of them that had been operational since October 2021 at least. Communication between compromised routers and C2 servers is encrypted with an x.509 certificate, so researchers were unable to see how successful cyber-criminals were with their "password spraying" attempts.
Black Lotus analysts were still able to effectively (albeit partially) curb the botnet's activity, though. The team "null-routed" the C2 nodes and impeded traffic through the proxy servers, which essentially rendered the botnet "inert" across the internet backbone managed by Lumen Technologies.