A serious security risk remained hidden from IT experts for almost two years. Certain malware has allowed attackers to control a local network and gain access to connected systems such as computers and other devices. The attack utilizes a previously unknown Trojan horse and targets “home” routers in Europe and North America. Subsequently, it enables attackers to control connected devices running on Windows, macOS, and Linux operating systems.
The newly discovered Trojan horse ZuoRAT has been undetected since 2020 and has targeted small office/home office (SOHO) routers. “It is no coincidence that the first identified deployment of ZuoRAT dates back to the beginning of the Covid-19 pandemic. Its outbreak triggered a spontaneous transition to remote work and a dramatic increase in the number of SOHO routers used by employees to access corporate infrastructures from home,” explains Martin Lohnert, a cyber security specialist at Soitron.
Do you have a router? And can I see it?
This threat affected a whole range of popular routers from brands such as Asus, Cisco, DrayTek, and Netgear. The sad truth is that almost none of the SOHO routers are regularly monitored and serviced, which makes them one of the weakest points in the network perimeter. That is why they can easily be misused to collect data or compromise devices connected to the network.
“When ordinary users purchase a router, they perform a basic configuration, or ask an IT technician to do it for them, and then they start using it. Unfortunately, it rarely happens that they would ever check it again or update its firmware. And this very practice represents a potential major risk,” explains Lohnert.
The sudden transition to remote work has allowed sophisticated attackers to take advantage of this opportunity and overcome the traditional IT defences of many well-established organizations. After a router has been infected (often with protection settings against known security vulnerabilities that are not configured), the ZuoRAT malware can easily be deployed by a script. The malware can then compromise devices connected to the network and install other malicious software in Windows, macOS, and Linux operating systems.
ZuoRAT targeting and how to protect against it
A ZuoRAT-based attack starts with detecting whether there are any known but yet unpatched vulnerabilities in the router. After successfully infecting the router, the next step is the activation and detection of devices connected to the router. The attacker can then use DNS hijacking and HTTP hijacking to force connected devices to install additional malware. Another built-in function is the ability to collect data via ports 21 and 8443 using the TCP protocol. These ports are used for FTP connections and web browsing, which potentially allows the attacker to intercept users’ online activity from the compromised router.
The attack is conducted very professionally. “Great efforts were made to keep ZuoRAT undetected. In addition, the attack infrastructure was surprisingly highly sophisticated. Although the number of identified ZuoRAT attacks is not dizzyingly high for now, no one can be sure that their home router would not be affected. It is literally a security time bomb that can blow up at any time,” Lohnert points out.
Home users can protect against such threats by regularly updating their router’s firmware and by noticing any suspicious behaviour in their home network. Companies should also realize that IT elements outside their organization’s infrastructure cannot be trusted and that they should be perceived as potentially dangerous. After all, these elements are outside their control and so they should always be treated as untrusted devices.
We are in the process of finalizing. If you want to be redirected to our old version of web site, please click here.