Lumen Disrupts Cybercriminals Targeting Home and Office Routers

Rhea-AI Summary

Black Lotus Labs, a threat intelligence team of Lumen Technologies, has uncovered a cybercriminal campaign using outdated routers and IoT devices to power a service called Faceless. TheMoon malware, responsible for this, has grown to over 40,000 bots in 88 countries. Lumen has halted the malicious traffic associated with TheMoon and Faceless. Consumers are urged to secure their devices to prevent becoming part of these criminal networks.

Cybersecurity Analyst

From a cybersecurity standpoint, the identification of TheMoon malware campaign by Black Lotus Labs emphasizes the persistent threat of cybercriminal activities targeting vulnerable network devices. The use of end-of-life SOHO routers, which often lack the latest security updates, creates a fertile ground for botnets like TheMoon to proliferate. This can have significant implications for businesses, particularly small and medium-sized enterprises that may not have robust IT security protocols in place.

Furthermore, the operation of the Faceless service, which facilitates anonymous malicious activities, poses a substantial risk to the integrity of corporate data and financial transactions. As cybercriminals increasingly leverage such services to conduct their operations, businesses must prioritize cybersecurity measures, including regular updates of network equipment and the implementation of advanced threat detection systems. The proactive measures taken by Lumen Technologies to halt the traffic from these malicious infrastructures and their plans to offer new defense solutions reflect a growing industry trend towards more aggressive cybersecurity strategies.

For stakeholders, the short-term benefits include the disruption of a significant threat vector and the prevention of potential data breaches. In the long term, the adoption of more sophisticated cybersecurity measures could lead to reduced operational risks and potentially lower insurance premiums for cyber liability coverage. However, the need to invest in updated hardware and security services may represent a financial burden for some businesses.

Network Security Expert

The technical aspects of TheMoon malware and its exploitation of outdated routers underscore the importance of maintaining up-to-date network infrastructure. The lack of support for end-of-life devices means that they do not receive security patches, making them easy targets for botnet herders. The scale of the problem, with over 40,000 bots from 88 countries, indicates a widespread vulnerability that can affect businesses globally. The advice provided by Lumen to reboot devices, update old routers and implement Web Application Firewalls is critical for maintaining network hygiene.

From a network security perspective, the emphasis should be on continuous monitoring for suspicious activities and the use of encryption protocols like TLS to safeguard data in transit. The fact that Lumen is sharing its threat intelligence with the broader security research community is a positive step towards collective cybersecurity resilience. The upcoming proactive defense solution that Lumen plans to offer could be a game-changer for businesses seeking to enhance their cybersecurity posture against increasingly sophisticated threats.

IT Infrastructure Specialist

The report from Black Lotus Labs brings to light the essential role of IT infrastructure in the overall security posture of an organization. The reliance on outdated and unsupported hardware is a significant risk factor that can lead to the compromise of not just the device itself but the entire network. The call to action for IT professionals, including installing Web Application Firewalls and encrypting data, is a reminder of the multi-layered approach required to secure modern networks.

For businesses, the investment in new, supported routers and the integration of comprehensive security solutions are critical steps in mitigating the risks posed by malware like TheMoon. The mention of Lumen's Rapid Threat Defense as a part of their security portfolio highlights the trend towards managed security services that can offer peace of mind and operational efficiency for businesses. The cost of such services must be weighed against the potential losses from data breaches and cyber-attacks, which can be far more detrimental to a company's financial health and reputation.

Black Lotus Labs reveals how TheMoon malware used end-of-life routers to power a notorious cybercrime service called Faceless, urges consumers to secure devices

DENVER, March 26, 2024 /PRNewswire/ -- Black Lotus Labs, Lumen Technologies' (NYSE: LUMN) threat intelligence team, has identified a new multi-year campaign targeting end-of-life, or outdated small office/home office (SOHO) routers and IoT devices. An updated version of TheMoon malware has reemerged and is fueling a cybercriminal anonymity service called Faceless. Lumen has stopped all traffic to and from the infrastructures associated with TheMoon and Faceless across its global network. Small office routers continue to be a key target for cybercriminals. In less than two years, Black Lotus Labs has discovered six large malware campaigns using compromised SOHO routers.

For detailed technical analysis of TheMoon and Faceless, read our latest blog, "The Darkside of TheMoon".

Cybercriminals join forces
Lumen first reported on TheMoon in 2019. It reemerged in 2023 and quietly operated while growing to over 40,000 web robots (bots) from 88 countries in the first two months of 2024. Black Lotus Labs discovered that most of these bots are used as the foundation of a notorious, cybercriminal-focused proxy service known as Faceless. TheMoon allowed Faceless operators to anonymously send malicious traffic through outdated routers and devices owned by consumers and small businesses. 

"Black Lotus Labs' advanced network visibility allows us to uncover threats other researchers can't see. TheMoon botnet quietly returned with its criminal operations, but we were able to see it and stop the attacks across our network," said Mark Dehus, senior director of threat intelligence at Lumen Black Lotus Labs. "The attackers behind Faceless are using the botnets from this malware to create an anonymous proxy network by abusing outdated and unsupported routers to run their criminal networks. We believe these cybercriminals are using these networks to steal data and information from their victims, including the financial sector."

How it works
Black Lotus Labs believes TheMoon is the main or sole provider of bots to Faceless. This proxy service gives its users the chance to impersonate a legitimate user in a chosen country. Faceless doesn't require customer identification. This allows users to stay anonymous as they send malicious traffic through the routers attempting to steal valuable data.

"TheMoon malware is a serious threat not only to the owners of the compromised SOHO devices, but also the victims exploited through this anonymous proxy network," continued Dehus. "We urge consumers to update and secure their devices to prevent them from becoming part of these malicious networks."

Stopping the threat
Consumers and businesses should take steps to protect their routers from cybercriminals.

• Reboot: Consumers who use SOHO routers should regularly reboot their devices and install security updates and patches when available.
• Update old routers: Consumers and business should replace end-of-life devices with vendor-supported models to help ensure security updates are in place.

IT professionals:

• Install protection: Remote workers can invite threats to a company network. Install Web Application Firewalls to protect company assets from communicating with bots.
• Monitor activity: Look for suspicious login attempts, even those that come from residential IP addresses.
• Encrypt data: Use the latest cryptographic protocols, such as TLS (Transport Layer Security) to encrypt data sent over the internet. This helps secure email and website services.

Cybersecurity threats are growing and putting organizations at risk. Lumen will soon offer a new proactive defense solution that spots and isolates threats before they reach business networks and applications. This provides protection against advanced cyberattacks and malicious activity. Businesses can also turn to Lumen® Rapid Threat Defense, powered by Lumen Black Lotus Labs threat intelligence. The team uses global network data from the Lumen network, one of the world's largest and most deeply peered networks. Experienced researchers use their expertise to create machine learning algorithms that detect, classify, and validate threats.

For more tips on best practices for securing routers, visit Canadian Centre for Cyber Security.

Threat protection continues
Black Lotus Labs has added the threat intelligence from this campaign into the Lumen security portfolio to help quickly detect these threats in the future. The team continues to monitor new infrastructure to identify and stop suspicious behaviors and attacks. To help protect the larger cybercrime ecosystem, Lumen shares its research with experts in the broader security research community so they can also identify and act on these threats. 

Additional information

• Read how Black Lotus Labs disrupted Chinese nation state cyber actors supporting recent Volt Typhoon attacks.
• Read about Black Lotus Labs' previous SOHO router malware discoveries including ZuoRAT, HiatusRAT, and AVrecon.
• Learn more about Lumen DDoS mitigation, DDoS Hyper®, and Lumen® SASE solutions.

About Lumen Technologies:
Lumen connects the world. We are igniting business growth by connecting people, data, and applications – quickly, securely, and effortlessly. Everything we do at Lumen takes advantage of our network strength. From metro connectivity to long-haul data transport to our edge cloud, security, and managed service capabilities, we meet our customers' needs today and as they build for tomorrow. For news and insights visit news.lumen.com, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies, and YouTube: /lumentechnologies. 

 

View original content to download multimedia:https://www.prnewswire.com/news-releases/lumen-disrupts-cybercriminals-targeting-home-and-office-routers-302098978.html

SOURCE Lumen Technologies

What is the name of the threat intelligence team of Lumen Technologies involved in uncovering the cybercriminal campaign?

Black Lotus Labs is the threat intelligence team of Lumen Technologies that discovered the cybercriminal campaign.

What is the malware responsible for the cybercriminal campaign targeting outdated routers and IoT devices?

TheMoon malware is the malicious software fueling the cybercriminal campaign.

How many bots did TheMoon malware grow to in the first two months of 2024?

TheMoon malware grew to over 40,000 bots from 88 countries in the first two months of 2024.

What action did Lumen Technologies take regarding the malicious traffic associated with TheMoon and Faceless?

Lumen Technologies stopped all traffic to and from the infrastructures linked to TheMoon and Faceless across its global network.

What advice is given to consumers and businesses to protect their routers from cybercriminals?

Consumers and businesses are advised to regularly reboot their routers, install security updates, replace end-of-life devices, install protection like Web Application Firewalls, monitor activity for suspicious login attempts, and encrypt data using TLS.