Black Lotus Labs, the threat intelligence arm of Lumen Technologies, has discovered a new remote access trojan (RAT) called ZuoRAT, which targets remote workers via their small office/home office (SOHO) devices. It is part of a complex campaign that went undetected for nearly two years.
The tactics, techniques and procedures that analysts observed are sophisticated and bear the markings of what is likely a nation-state threat actor.
When the pandemic forced offices to close, the rapid shift to remote work expanded security concerns as millions of employees began accessing corporate networks from home. This gave threat actors a fresh opportunity to leverage at-home devices such as routers that are widely used but rarely monitored or patched.
“Router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve,” said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. “In this campaign, we have observed a threat actor’s capability to exploit SOHO routers, covertly access and modify internet traffic in ways difficult to detect and gain additional footholds in the compromised network.”
Dehus continued, “Organizations should keep a close watch on SOHO devices and look for any signs of activity outlined in this research. This level of sophistication leads us to believe this campaign might not be limited to the small number of victims observed. To help mitigate the threat, they should ensure patch planning includes routers, and confirm these devices are running the latest software available.”
A complete list of affected routers is included in the ZuoRAT blog.
Read Lumen’s the full report here: https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/?utm_source=referral&utm_medium=press+release
