In short: State-backed Chinese hackers are reportedly using unpatched consumer routers and network-attached storage (NAS) devices to gain access to the infrastructure of large telecommunications companies. Then the traffic of these systems is intercepted and sent to Chinese servers. The US agencies that issued the warning did not name the victims.

- Advertisement -

According to new alertChinese state-sponsored hackers exploit known security vulnerabilities in unpatched network devices to create a wide web of compromised infrastructure.

- Advertisement -

A joint notice was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the NSA and the FBI.

Some of the affected devices include consumer routers from Cisco, D-Link, and Netgear, as well as NAS devices produced by QNAP. They serve as access points to route command and control (C2) traffic and act as intermediate points to compromise other entities such as telcos and network service providers.

- Advertisement -

After infiltrating these telecommunications networks, cybercriminals execute router commands to route, capture, and relay traffic to their own servers. At the same time, they monitor the accounts and activities of online defenders and modify their current attacks to remain undetected.

Attackers are reported to be using open source tools such as RouterScan and RouterSploit to find vulnerabilities. They carry out their intrusions through compromised servers called hotspots, which usually have Chinese IP addresses allowing access to various Chinese ISPs.

The agencies allege that hackers directly or indirectly rent remote access servers from hosting providers and then use them to register and access work email accounts, host C2 domains, and interact with victims’ networks. Jump points are also used as an obfuscation method.

In related news, FBI issued a warning warned US universities last month that their VPN credentials were being sold on Russian cybercriminal forums.