The Black Lotus Labs team at Lumen Technologies has uncovered a disturbing trend in the cybercrime world – a multi-year effort to target end-of-life (EoL) and IoT devices, with a particular focus on small home and small office routers. This campaign is associated with an updated version of malware known as TheMoon, which first emerged back in 2014.
According to John Bambenek, President at Bambenek Consulting, the problem stems from a lack of automatic updates in these devices, as well as consumers using them for longer than manufacturers intend. This creates a perfect breeding ground for cybercriminals, who are able to exploit these vulnerable devices for their own gain.
TheMoon has quietly been growing in strength, with more than 40,000 bots across 88 countries by early 2024. Many of these bots are being used to support a cybercriminal-focused proxy service called Faceless, which offers anonymity services to malicious actors at a minimal cost.
Jason Soroko, Senior Vice President of Product at Sectigo, highlights the potential dangers of this campaign, noting that routers and other networking equipment with weak passwords have long been easy targets for cyber attacks. The use of proxy networks for C2 traffic obfuscation adds a new layer of complexity to the situation, showing that cybercriminals are constantly evolving their techniques to stay ahead of detection.
This latest research serves as a stark reminder of the importance of keeping devices updated and secure, as well as implementing stronger authentication methods to protect against potential cyber threats.