Skip to content

Thousands of routers globally are now hacker honeypots

  • by
  • 2 min read

A threat actor, ViciousTrap, has compromised over 5,500 network edge devices in 84 countries and converted them into honeypot nodes operating as part of one big network. The hackers have exploited a previously documented vulnerability dubbed CVE-2023-20118 that affects several Cisco SOHO routers.

Specifically, the following Cisco Small Business routers are at risk:

  • RV016
  • RV042
  • RV042G
  • RV082
  • RV320
  • RV325

The campaign was discovered by security researchers at cybersec firm Sekoia. Its report also highlights a separate campaign breaching SOHO routers, SSL VPNs, DVRs, and BMC controllers from over 50 brands, including Asus, D-Link, Linksys, QNAP, and more. The goal of the campaign is to create a similar honeypot infrastructure as described above, and while there’s no evidence linking the two campaigns together, ViciousTrap is expected to be behind both.

This is an image of cyber security hacked hacking 3889

The goal behind the honeypotting is unknown at the moment. However, Sekoia researchers believe that the infrastructure lets the threat actor observe exploitation attempts across multiple environments to collect zero-day exploits or reuse the access gained by other hackers.

In layman’s terms, ViciousTrap hackers are using the hacked devices to monitor other hackers who might target these devices. This means they can collect any previously unknown zero-day vulnerabilities being used by other hackers while reusing their access for their agenda.

The infection chain also seems to support this objective. The hackers just need to execute a shell script called NetGhost on the target devices. The shell script then redirects all incoming traffic to the compromised device to another “honeypot-like infrastructure” under the hackers’ control to let them intercept traffic.

ViciousTrap’s final object remains unknown, and it’s also the first time the company has observed such activity. This also makes attribution difficult, but Sekoia thinks “the redirection of traffic to numerous assets in Taiwan and the United States without any compromised asset in China may suggest the involvement of a Chinese-speaking actor.”

In the News: Critical flaws in Versa Concerto allow RCE, auth bypass

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>