These older routers, which no longer receive security updates from manufacturers, are vulnerable to known exploits that allow threat actors to inject malware. Once infected, the devices become part of residential proxy botnets, used to mask malicious online activity and conduct cyberattacks.
According to an FBI Flash advisory, criminals sell access to these compromised routers, enabling buyers to route traffic and conceal their identities or locations.
The advisory highlights several commonly targeted EoL models, including:
- Linksys: E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N, WRT610N
- Cradlepoint: E100
- Cisco: M10
The agency also reported that Chinese state-sponsored hackers have used these vulnerabilities to carry out covert espionage campaigns, including attacks on U.S. critical infrastructure.
Many of these compromised routers are infected with a variant of the Moon malware, which transforms them into proxies. The malware connects the routers to command-and-control (C2) servers, allowing attackers to issue remote commands, scan for new targets, and maintain control of the infected devices.
These proxy-enabled routers are frequently used in illegal activities such as cryptocurrency theft and cybercrime-for-hire operations. Symptoms of infection may include degraded performance, unexpected configuration changes, rogue admin accounts, overheating, and unusual network traffic.
Mitigation Recommendations:
- Replace EoL routers with newer models that receive regular updates.
- If replacement isn’t possible, install the latest firmware from the official vendor site.
- Change default admin credentials.
- Disable remote administration features.
The FBI has also released indicators of compromise (IOCs) to help identify infected devices.
