Black Lotus Labs Discovers Malware Targeting Outdated Routers

By Greg Tavarez April 01, 2024

Malicious actors constantly develop new ways to exploit vulnerabilities in our devices and networks, which puts our data and privacy at risk. Therefore, IT teams and professionals integrate solutions to protect these valuable assets.

Still, one often-overlooked target for cyberattacks is the humble router. These devices, which manage the flow of data in our homes and offices, can become infected with malware and turned into tools for criminals. Outdated routers, lacking the latest security updates, are especially susceptible.

This vulnerability has been exploited in a recent campaign targeting small office/home office, or SOHO, routers and IoT devices. Lumen Technologies' threat intelligence team, Black Lotus Labs, identified an updated version of the TheMoon malware resurfaced and has grown to over 40,000 bots across 88 countries in January and February of 2024. 

Black Lotus Labs linked these bots to Faceless, a cybercriminal anonymity service. Lumen has since stopped traffic associated with TheMoon and Faceless on its global network. This is the sixth major malware campaign targeting SOHO routers identified by Black Lotus Labs in less than two years.

“TheMoon botnet quietly returned with its criminal operations, but we were able to see it and stop the attacks across our network," said Mark Dehus, Senior Director of Threat Intelligence at Lumen Black Lotus Labs. "The attackers behind Faceless are using the botnets from this malware to create an anonymous proxy network by abusing outdated and unsupported routers to run their criminal networks."

Although TheMoon emerged in 2014, Lumen first identified TheMoon in 2019. Black Lotus Labs believes TheMoon is the primary source of bots for Faceless. According to a recent Black Lotus Labs blog, TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week. Faceless does not require identification and allows users to anonymously launch attacks that steal valuable data.

Luckily, consumers and businesses can take steps to mitigate these threats.

Consumers need to regularly reboot SOHO routers and install security updates. Consider replacing end-of-life routers with supported models.

IT professionals need to install web application firewalls to protect networks from bots. Monitor for suspicious login attempts, including those from residential IP addresses. Encrypt data using protocols like TLS to secure communications.

"TheMoon malware is a serious threat not only to the owners of the compromised SOHO devices, but also the victims exploited through this anonymous proxy network," said Dehus. "We urge consumers to update and secure their devices to prevent them from becoming part of these malicious networks."

Lumen also offers security solutions to combat these evolving threats. A new proactive defense solution will identify and isolate threats before they reach networks. Additionally, Lumen Rapid Threat Defense, powered by Black Lotus Labs, leverages threat intelligence and machine learning to detect and classify malicious activity.

The Black Lotus Labs team continues to monitor new infrastructure to identify and stop suspicious behaviors and attacks.

Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Bill Dunnion Joins the Team: Mitel Appoints New CISO to Oversee Security Strategies

Mitel has announced the appointment of Bill Dunnion as Chief Information Security Officer (CISO).

Read More

Singtel Teams with Vonage to Drive Global Enterprise and Telco Innovation

Singtel announced a strategic partnership with cloud communications giant Vonage to fuel innovation and scalability for enterprises and telecommunications providers.

Read More

Broadvoice Expands Channel Partner Program in CCaaS Market with Veteran CX Hires

Broadvoice, a provider of omnichannel contact center and unified communication solutions for SMBs and business process outsourcing firms, expanded its growing Channel Partner Program in the CCaaS market.

Read More

LEAP Boosts Global Customer Reach with Vonage SIP Trunking API Integration

By tapping into Vonage's Communications APIs, LEAP aims to revolutionize customer connectivity and streamline operations for businesses across Southeast Asia.

Read More

Navigating Tax and Compliance with SkySwitch at Annual Vectors Conference

SkySwitch, a BCM One company and premier white-label UCaaS platform provider, held its annual SkySwitch Vectors 2024 event this week. One session that took place specifically covered tax and compliance regulations and how partners and other resellers can proactively benefit.

Read More