In a related bulletin, the agency confirms that many of these routers are infected with a variant of the "TheMoon" malware, which enables threat actors to configure them as proxies. The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks. "End of life routers were breached by cyber actors using variants of TheMoon malware botnet," reads the FBI bulletin. "With the 5Socks and Anyproxy network, criminals are selling access to compromised routers as proxies for customers to purchase and use," explains the FBI Flash advisory. The FBI warns that Chinese state-sponsored actors have exploited known (n-day) vulnerabilities in these routers to conduct covert espionage campaigns, including operations targeting critical U.S. infrastructure. "Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Once compromised, the routers connect to command and control (C2) servers to receive commands to execute, such as scanning for and compromising vulnerable devices on the Internet. Common signs of compromise by a botnet include network connectivity disruptions, overheating, performance degradation, configuration changes, the appearance of rogue admin users, and unusual network traffic. If that is impossible, apply the latest firmware update for your model, sourced from the vendor's official download portal, change the default admin account credentials, and turn off remote administration panels. The best way to mitigate the risk of botnet infections is to replace end-of-life routers with newer, actively supported models.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 08 May 2025 22:20:01 +0000