Lumen flags malware targeting routers used by SMBs, remote workers

Lumen’s Black Lotus Labs spotted a new kind of remote access trojan malware targeting routers from DrayTek which allows attackers to download files, run arbitrary commands and insert proxy infrastructure to covertly collect data. Researchers said around 100 routers across three continents have already been compromised and thousands more are vulnerable.

The newly discovered threat is “concerning because it allows the threat actor to passively collect information without directly interacting with a high-value host – activity that could trigger detection and response (EDR) products,” Black Lotus Labs wrote in its report. “Additionally, by utilizing routers, the adversary’s tools reside on the victim’s network, which is outside the traditional defense-in-depth perimeter.”

According to Black Lotus Labs, the routers in question are commonly used by medium-sized businesses and offer high-bandwidth capabilities to support VPN connections for hundreds of remote workers. Thus far, the malware campaign, which was dubbed HiatusRAT, has primarily gone after end of life routers in DrayTek’s 2960 and 3900 series.

"The DrayTek Vigor 2960 and 3900 model devices exploited in the Hiatus campaign are end of life, which means they aren’t maintained by the manufacture with updates and patches," a Black Lotus Labs representative told Fierce. "This is unfortunately common among many makes and models of routers. While we don’t know how the devices in the Hiatus compromise were initially exploited, there is widespread reporting on high-severity CVEs for these devices."

Black Lotus Labs identified 4,100 of these routers as vulnerable and noted 100 have been infiltrated since June 2022. The breached routers were scattered across Latin America, Europe and North America, it said, with the most located in the United Kingdom, Poland, Italy and Canada. Compromised routers were also discovered in the U.S., Brazil, Denmark, the Netherlands, Turkey and French Guyana.

The Black Lotus representative added that while it only found the exploit active in DrayTek routers, "the packet capture binary that we discovered as part of this campaign was compiled for several different architectures, indicating that the threat actor likely has their sight set more broadly."

In terms of what verticals were targeted, Black Lotus Labs pointed to pharmaceuticals and IT services and consulting firms. The latter were likely “ chosen to give the threat actor downstream access to the victims' customers' environments,” the company wrote in its report.

Last year, cybersecurity company Trellix spotted an unauthenticated remote code execution vulnerability which impacted 29 models of DrayTek routers used by small and medium businesses to connected remote employees. All told, it said more than 200,000 devices were vulnerable. And in 2018, DrayTek warned of a DNS exploit which impacted its 2950, 2955, 2960, 3900 and 3300 switches and routers to the tune of hundreds of thousands of devices.

But Black Lotus Labs indicated HiatusRAT is a new threat, stating it has “not observed any overlap or correlations between HiatusRAT and any public reporting.”

Attacks on small and home office routers are expected to become more common with the rise of remote work. Black Lotus Labs told Fierce that a "comprehensive patch management across enterprise assets" will be key in fending off attackers looking for a place to hide.

This story has been updated with comments from a Black Lotus Labs representative.