When hackers find a vulnerable router, they compromise it by installing malware that grants persistence, the ability to run distributed denial of service (DDoS) attacks, hide malicious traffic, and more. But what happens when the hackers find a router that was already compromised by a rival gang?
Cybersecurity researchers from Trend Micro published a report that found that one of two things happen: either one group allows the other one to use the compromised infrastructure for a fee, or they each find a different way to break into the device and they use them simultaneously.
Trend Micro’s researchers made an example out of Ubiquity’s EdgeRouters, internet routers that were abused by a handful of hacking groups at the same time, some being state-sponsored, and others being financially-driven.
Shared co-working spaces
“Cybercriminals and Advanced Persistent Threat (APT) actors share a common interest in proxy anonymization layers and Virtual Private Network (VPN) nodes to hide traces of their presence and make detection of malicious activities more difficult,” the researchers explained. “This shared interest results in malicious internet traffic blending financial and espionage motives.”
When it comes to Ubiquity, Trend Micro researchers said they observed the endpoints being used by the APT28 threat actor for “persistent espionage campaigns.” APT28 is a Russian state-sponsored group, also known as Fancy Bear, or Pawn Storm. At the same time, they also saw a financially motivated group called the Canadian Pharmacy gang, using the same infrastructure to mount pharma-related phishing campaigns. Finally, they observed the Ngioweb malware being loaded directly into the memory of these devices – malware that was attributed to the Ramnit group.
EdgeRouters were a popular target mostly because the victims kept them either poorly defended, or entirely undefended. However, they don’t stand out much from other routers, which are all an equally popular asset for hackers. This is because generally they have reduced security monitoring, less stringent password policies, are rarely updated, and run on powerful operating systems that can be used for a wide number of things, Trend Micro concluded.