In a startling revelation, security experts from Lumen Technologies have exposed a significant hacking campaign that compromised over 6,000 Asus routers within a mere 72-hour window this month. This incident is part of a broader, alarming pattern of attacks targeting vulnerable, end-of-life routers and smart devices. The campaign marks the unexpected return of TheMoon botnet, a network of malware-compromised devices previously thought to be defunct, which hackers leverage to conduct distributed attacks.
The revived TheMoon botnet has seen an expansive reach, successfully infecting more than 40,000 routers and smart devices across 88 countries in January and February alone. The Asus router infections represent just a fraction of this widespread campaign. Intriguingly, the bulk of these compromised devices are suspected to serve as the infrastructure for the cybercriminal proxy service Faceless. This service enables users to anonymously channel their malicious internet activities through an extensive network of hijacked computers, effectively masking their digital footprints.
Over the past two years, Lumen's research team has identified seven distinct campaigns aimed at infiltrating home and small-business routers, underscoring a growing concern among cybersecurity professionals and officials about the inadequate security protocols of many at-home devices. These concerns have been heightened by recent espionage efforts that exploit these vulnerabilities to conduct clandestine operations.
The resurgence of TheMoon botnet and its association with the Faceless proxy service suggest a tactical shift among cyber criminals. This evolution is likely a response to intensified scrutiny and actions by law enforcement and intelligence agencies against the cybercrime ecosystem. The intent is to find new, more sophisticated means of obscuring illicit online activities.
Since its re-emergence, TheMoon botnet has reportedly attracted nearly 7,000 new users weekly to the Faceless service, highlighting the botnet's significant role in expanding the service's user base and operational capacity. While Lumen Technologies has not pinpointed the specific actors behind this resurgence, the implications of this campaign are clear.
In response to these threats, Lumen has proactively blocked access to the infected devices within its network. Additionally, the company emphasizes the critical importance of regular security updates for routers and smart devices owned by consumers. This incident is a stark reminder of the ever-evolving landscape of cybersecurity threats and the continuous need for vigilance and proactive measures to protect digital infrastructures and personal privacy in the interconnected world.