Analysis Summary

A sophisticated and highly targeted cyber campaign has recently intensified, focusing on enterprise-grade routers used within critical sectors like finance, healthcare, and government. Over the past month, researchers have identified a significant rise in attacks exploiting previously unknown vulnerabilities in router firmware, enabling threat actors to bypass authentication mechanisms and gain unauthorized access to corporate networks.

The campaign has affected networks in more than 12 countries, with Spain, China, and the UK being hit the hardest. Attackers are deploying custom malware post-exploitation, which enables command-and-control operations while evading detection by conventional security tools.

The primary infection vector involves a memory corruption vulnerability within the web administration interface of affected routers. Attackers exploit this flaw through a specially crafted HTTP POST request designed to trigger a buffer overflow in the authentication module. This method allows them to execute arbitrary code with elevated privileges. Once the malware gains control, it establishes persistence by modifying the bootloader configuration and creating a hidden partition within the firmware storage. This persistence mechanism is robust enough to survive even factory resets and firmware updates, posing significant challenges for remediation and device recovery.

Researchers, who uncovered this campaign through extensive analysis of devices connected to the Device Cloud, report that routers have now become the most vulnerable IT assets, accounting for 50% of all critically exposed devices. The threat is further compounded by poor protocol hygiene across industries. Alarmingly, there has been a shift from secure SSH connections to the unencrypted Telnet protocol, particularly in government systems, where Telnet usage increased from 2% to 10%. This transition greatly enhances the attack surface for adversaries, making unauthorized access and eavesdropping much easier.

Given the advanced persistence techniques and the strategic targeting of critical sectors, experts believe this campaign may be the work of a nation-state actor or a well-funded cybercriminal group. Security professionals are strongly advised to conduct immediate audits of network infrastructure, eliminate Telnet in favor of encrypted protocols like SSH, segment router management interfaces, and implement advanced monitoring solutions to detect and respond to abnormal router behavior. As routers have now surpassed endpoints as the primary security risk, organizations must act swiftly to mitigate this growing threat.

Impact

• Privilege Escalation
• Code Escalation
• Gain Access

Remediation

• Audit all network infrastructure for routers and network devices vulnerable to known or suspected firmware flaws.
• Apply the latest firmware updates from vendors immediately, prioritizing critical infrastructure and high-risk sectors.
• Disable unused services and interfaces, especially public-facing web interfaces used for router management.
• Enforce the use of encrypted protocols (e.g., SSH) and disable Telnet across all network devices.
• Implement network segmentation to isolate router management interfaces from the rest of the corporate network.
• Restrict administrative access to trusted IP addresses and enforce multi-factor authentication (MFA) where possible.
• Deploy continuous network monitoring solutions capable of detecting unusual traffic or behavior from routers and IoT devices.
• Monitor for signs of persistence, such as unauthorized modifications to bootloader configurations or hidden partitions.
• Check for malicious scripts in configuration backups, as attackers may have tampered with them to ensure reinfection.
• Conduct threat hunting exercises to detect lateral movement or signs of deeper compromise across the network.
• Work closely with router vendors and threat intelligence sources to stay updated on emerging vulnerabilities and attack patterns.