The Federal Bureau of Investigation has issued an urgent public service announcement warning that cybercriminals are actively exploiting outdated routers to build extensive proxy networks for illicit activities.
According to a recent FBI FLASH report, threat actors are targeting end-of-life routers that no longer receive security patches and software updates, turning them into anonymous proxies that help criminals conceal their digital footprints.
Vulnerable Router Models Identified
The FBI specifically identified thirteen vulnerable router models, predominantly Linksys devices sold under the Cisco brand, that are being actively targeted:
.png
)
- Linksys E1200, E2500, E3200.
- Cisco Linksys E1000, E1500, E1550, E4200, WRT610N.
- Cradlepoint E300, E100.
- Cisco M10.
- Linksys WRT320N, WRT310N.
“Routers dated 2010 or earlier likely no longer receive software updates issued by the manufacturer and could be compromised by cyber actors exploiting known vulnerabilities,” the FBI warned in its advisory
The attacks utilize variants of TheMoon malware botnet, first discovered in 2014 and now experiencing a significant resurgence.
This sophisticated malware doesn’t require a password to infect routers; instead, it scans for open ports, sends malicious commands, and awaits instructions from command-and-control servers operated by hackers.
Once installed, the malware deploys a payload named “.nttpd” which creates a PID file with a version number (currently 26).
It then establishes iptables rules to drop incoming TCP traffic on ports 8080 and 80 while allowing traffic from specific IP ranges-effectively securing the compromised device from external interference while maintaining attacker control.
The FBI has linked these compromised routers to services like Anyproxy and 5Socks, which were recently seized by authorities.
These services sold access to the hijacked devices as proxy networks that allowed criminals to mask their true IP addresses.
“When actors use a proxy service to visit a website to conduct criminal activity… the website does not register their real IP address and instead registers the proxy IP,” explained the FBI.
This anonymity enables various criminal activities, from cryptocurrency theft and fraud to accessing illegal services without being easily traced.
Malware operations such as IcedID and SolarMarker have been observed using these proxy botnets to obfuscate their malicious activities.
Technical Exploitation Methods
The technical exploitation begins when attackers leverage vulnerabilities in outdated firmware or brute-force weak credentials.
For example, the Seowon SLR-120 router vulnerability (CVE-2020-17456) allows unauthenticated remote code execution through simple POST requests to the router’s system_log.cgi endpoint.
Once compromised, the malware often uses code similar to:
These commands download and execute the malicious payload that establishes persistent control.
To defend against these attacks, the FBI recommends:
- Replace end-of-life routers immediately with newer, supported models.
- Apply all available firmware and security updates promptly.
- Disable remote administration through router settings.
- Implement strong, unique passwords (16-64 characters).
- Reboot routers regularly to flush temporary malware.
Signs of a compromised router may include overheating, unexpected setting changes, and intermittent connectivity issues.
As these attacks continue to escalate, the FBI emphasizes that proactive router replacement and security hygiene remain the most effective defenses against this growing threat.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
