Malicious actors constantly develop new ways to exploit vulnerabilities in our devices and networks, which puts our data and privacy at risk. Therefore, IT teams and professionals integrate solutions to protect these valuable assets.
Still, one often-overlooked target for cyberattacks is the humble router. These devices, which manage the flow of data in our homes and offices, can become infected with malware and turned into tools for criminals. Outdated routers, lacking the latest security updates, are especially susceptible.
This vulnerability has been exploited in a recent campaign targeting small office/home office, or SOHO, routers and IoT devices. Lumen Technologies' threat intelligence team, Black Lotus Labs, identified an updated version of the TheMoon malware resurfaced and has grown to over 40,000 bots across 88 countries in January and February of 2024.
Black Lotus Labs linked these bots to Faceless, a cybercriminal anonymity service. Lumen has since stopped traffic associated with TheMoon and Faceless on its global network. This is the sixth major malware campaign targeting SOHO routers identified by Black Lotus Labs in less than two years.
“TheMoon botnet quietly returned with its criminal operations, but we were able to see it and stop the attacks across our network," said Mark Dehus, Senior Director of Threat Intelligence at Lumen Black Lotus Labs. "The attackers behind Faceless are using the botnets from this malware to create an anonymous proxy network by abusing outdated and unsupported routers to run their criminal networks."
Although TheMoon emerged in 2014, Lumen first identified TheMoon in 2019. Black Lotus Labs believes TheMoon is the primary source of bots for Faceless. According to a recent Black Lotus Labs blog, TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week. Faceless does not require identification and allows users to anonymously launch attacks that steal valuable data.
Luckily, consumers and businesses can take steps to mitigate these threats.
Consumers need to regularly reboot SOHO routers and install security updates. Consider replacing end-of-life routers with supported models.
IT professionals need to install web application firewalls to protect networks from bots. Monitor for suspicious login attempts, including those from residential IP addresses. Encrypt data using protocols like TLS to secure communications.
"TheMoon malware is a serious threat not only to the owners of the compromised SOHO devices, but also the victims exploited through this anonymous proxy network," said Dehus. "We urge consumers to update and secure their devices to prevent them from becoming part of these malicious networks."
Lumen also offers security solutions to combat these evolving threats. A new proactive defense solution will identify and isolate threats before they reach networks. Additionally, Lumen Rapid Threat Defense, powered by Black Lotus Labs, leverages threat intelligence and machine learning to detect and classify malicious activity.
The Black Lotus Labs team continues to monitor new infrastructure to identify and stop suspicious behaviors and attacks.
Edited by
Alex Passett