Black Lotus Labs®, the threat intelligence arm of Lumen Technologies (NYSE: LUMN), recently uncovered a hacktivist campaign that leveraged misconfigured routers and switches to distribute an anti-government manifesto.
Overview of the Attack
- On and around May 13, 2021, the attacker gained access to the victims’ routers and switches due to a misconfiguration that exposed control of the devices to the internet.
- This external exposure allowed the threat actor to remotely alter the victims’ configuration files, which rendered the routers unusable.
- Victims who attempted to fix the compromised file found that it had been replaced with approximately six pages of an anti-government manifesto.
Additional Key Findings
- Abusing the misconfigured router to gain access to the victims’ configurations is not a new tactic, and recommendations for properly configuration the routers and switches were published in 2017.
- Despite this, more than 18,000 devices around the world are still exposed, and Black Lotus Labs has identified more than 800 unique scanners looking for the misconfigured equipment– and potential victims.
The Black Lotus Labs Response and Recommendations
Black Lotus Labs null-routed the malicious IP address across the Lumen global network and added it to a block list for its security customers.
The company also offered recommendations for organizations that had already been attacked, and those that have misconfigured routers. “Victims can recover from this attack by rebuilding their router configuration, and either disabling or limiting the ability to manage the device remotely,” said Mike Benjamin, Lumen vice president of product security and head of Black Lotus Labs. “In the meantime, we will continue to look for attackers abusing this protocol.”