Mar 7, 2023 - Technology

Ongoing malware campaign targeting small business routers

Illustration of an arrow cursor being lassoed by a blue ethernet cable

Illustration: Annelise Capossela/Axios

Researchers have uncovered an ongoing, monthslong malware campaign that's targeting and stealing data from pharmaceutical, IT services and consulting firms through their internet routers.

Driving the news: Researchers at Lumen Technologies released a blog post Monday detailing the malware campaign, dubbed HiatusRAT, which started in July and has already affected at least 100 businesses across Europe, North America and Latin America.

  • The attackers are targeting end-of-life DrayTek Vigor router models 2960 and 3900, which are popular with small to midsized businesses and allow users to remotely connect to corporate networks.
  • As of mid-February, roughly 4,100 machines were still vulnerable to the attack, according to the researchers.

The big picture: Internet routers have always been a ripe target of hackers given their insecure designs and the amount of data that flows through them.

Details: Researchers believe hackers are seizing the routers as part of a long-term espionage and data exfiltration operation, although it remains unclear who is behind the campaign.

  • The HiatusRAT malware intercepts any data that passes through its systems and sends it to the hackers.
  • The malicious actors also set up the infected routers to operate as bots that disperse malicious traffic to victims on other networks, obfuscating whatever trail they leave behind.

What they're saying: "These devices typically live outside the traditional security perimeter, which means they usually are not monitored or updated," said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs, in a statement.

  • "This helps the actor establish and maintain long-term persistence without detection," he added.

Be smart: Lumen Technologies recommends consumers regularly monitor, reboot and install security updates onto their at-home, self-managed routers.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper