Black Lotus Labs finds new malware that targets compromised routers

HiatusRAT has been targeting business-grade routers to covertly spy on victims since July 2022. #pressrelease

March 6, 2023

2 Min Read

DENVER – For the second time in nine months, Black Lotus Labs® – the threat research team at Lumen Technologies (NYSE: LUMN) – has uncovered a complex new malware campaign that has been exploiting compromised routers. The latest research delves into a complex, never-before-seen campaign called "Hiatus," which has been targeting business-grade routers since June 2022. It comes on the heels of the team's other recent discovery – a novel malware called ZuoRAT – which targeted SOHO (small office/home office) routers. Black Lotus Labs does not currently believe the two campaigns are related.

Some of the industries targeted in the Hiatus campaign include pharmaceuticals, and IT services and consulting firms. Researchers suspect the IT firms were chosen to give the threat actor downstream access to the victims' customers' environments.

HiatusRAT research findings:

  • The threat actors behind the Hiatus campaign primarily target DrayTek Vigor router models 2960 and 3900 that are at their end of life.

  • As of mid-February 2023, approximately 4,100 DrayTek models 2960 and 3900 were exposed on the internet, and Hiatus had compromised approximately 100 of them in Latin America, Europe and North America.

  • Upon infection, the malware intercepts data transiting the infected router. It does this by deploying a binary that captures network packets from the compromised device and sends them to actor-controlled infrastructure.

At the same time, the malware deploys a Remote Access Trojan (RAT) dubbed "HiatusRAT" which displays a highly unusual feature: it converts the compromised machine into a bot that can proxy malicious traffic transmitted by the adversary to victims on additional networks.

Black Lotus Labs' response:

  • Black Lotus Labs has null-routed Hiatus C2s across the Lumen global backbone and added the Indicators of Compromise (IoCs) from this campaign into Rapid Threat Defense® – the automated threat detection and response capability that fuels Lumen's security product portfolio by blocking threats before they reach the customer's network.

  • The team will continue to monitor for new Hiatus infrastructure, targeting activity, and expanding tactics, techniques and procedures (TTPs), and share this information with the security research community.

Recommendations:

  • Consumers with self-managed routers should follow best practices and regularly monitor, reboot, and install security updates and patches. End-of-life devices should be replaced.

  • Businesses should consider comprehensive Secure Access Service Edge (SASE) or similar solutions that utilize VPN-based access to protect data and bolster their security posture.

  • Users should only use secure email services that help protect data in transit.

Read the full press release here.

Lumen

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.
Sign me up

You May Also Like

Latest News

Venu Sports logo
Video Streaming
The Disney-Fox-WBD streaming JV has a name: Venu Sports
The Disney-Fox-WBD streaming JV has a name: Venu Sports

May 16, 2024

VEON logo on a smartphone, in front of a laptop showing its website.
Finance
VEON revenues up in Q1 amid growing 4G and digital services user base
VEON revenues up in Q1 amid growing 4G and digital services user base

May 16, 2024

IoT Internet of Things technology with connected devices exchanging data on network
IOT
OliverIQ fine-tunes its smart home pitch for broadband operators
OliverIQ fine-tunes its smart home pitch for broadband operators

May 16, 2024

Accenture's Jefferson Wang, AT&T's Cheryl Choy, Dish Network's Eben Albertyn and T-Mobile's Ankur Kapoor.
Open RAN
Hope permeates WIA show, but 5G downturn persists
Hope permeates WIA show, but 5G downturn persists

May 16, 2024

Upcoming Webinars
More Webinars

Popular whitepapers in 5G

thumbnail
Sponsored Content
5G Orchestration and Service Assurance: 2024 Heavy Reading Survey5G Orchestration and Service Assurance: 2024 Heavy Reading Survey
Apr 26, 2024
1 Min Read
thumbnail
5G
Operator transitions to 5G SA core decline YoY in 2023 – Counterpoint ResearchOperator transitions to 5G SA core decline YoY in 2023 – Counterpoint Research
Feb 29, 2024
3 Min Read
thumbnail
5G
5G Network Strategies Operator Survey: Powering 5G SA Networks5G Network Strategies Operator Survey: Powering 5G SA Networks
Feb 23, 2024
1 Min Read
May 21 - May 23, 2024
Join us for an immersive experience where the future of North American telecom industry unfolds in 2024.
LEARN MORE

Featured Videos

Sponsored Content
Get the scale, resilience and local expertise from the team/network that go above, below and beyond.
Get the scale, resilience and local expertise from the team/network that go above, below and beyond.
Sponsored Content
Demo: Explore the Value of Multi-Vendor Interoperability in Transport Technology with OIF and Juniper
Demo: Explore the Value of Multi-Vendor Interoperability in Transport Technology with OIF and Juniper
Sponsored Content
Heavy Reading analysts get ready for Network X Americas
Heavy Reading analysts get ready for Network X Americas