No Malware Needed: APT28's Router Token Harvesting Spree
Just saw the detailed report on Krebs regarding Russian military intelligence units (likely APT28) leveraging known vulnerabilities in end-of-life SOHO routers. This campaign is massive—impacting over 18,000 networks—and the scary part is the complete lack of malware on the endpoints.
Instead of infecting laptops, they are compromising the edge devices (routers) to passively harvest Microsoft 365 authentication tokens. By sitting on the router, they can intercept AD FS or OAuth tokens in transit. Since the traffic originates from a "trusted" internal IP, standard UEBA and heuristic detection often fails to flag the authentication attempt as anomalous until it's too late.
Most of these targets are likely older Cisco, Netgear, or DrayTek devices that haven't seen a firmware update in years. The attackers are essentially "living off the land" by abusing the router's native management functionality or CVEs from years past (think CVE-2017-6736 or similar generic remote execution flaws).
For detection, we have to shift focus to the network edge. I'd recommend checking for anomalous outbound traffic from router IPs that shouldn't be talking to Microsoft login endpoints directly. Also, if you have legacy gear, block internet access to the management interfaces immediately.
Here is a quick snippet to scan your internal subnet for common vulnerable ports (like Telnet or HTTP management interfaces) that should probably be disabled:
# Quick scan for open management ports on common gateway IPs
$gateways = @("192.168.1.1", "192.168.0.1", "10.0.0.1")
$ports = @(23, 80, 443, 8080)
foreach ($ip in $gateways) {
foreach ($port in $ports) {
$result = Test-NetConnection -ComputerName $ip -Port $port -WarningAction SilentlyContinue
if ($result.TcpTestSucceeded) {
Write-Host "[!] Open Port: $port on $ip" -ForegroundColor Red
}
}
}
Is anyone else seeing a resurgence in router-based attacks recently? How are you handling clients who refuse to replace EOL gear because "it still works"?
This is exactly why I'm pushing hard for Zero Trust Network Access (ZTNA) even for small offices. If the router is compromised, the attacker gets the data in transit, but they can't easily pivot laterally if the micro-segmentation is done right.
Also, verify your Conditional Access policies. Ensure you are enforcing compliant device status and location-based policies. If a token is stolen but used from an unexpected country, MFA should trigger (unless they are also proxying the traffic, which gets harder to detect).
Definitely time to audit those edge devices.
We found a bunch of DrayTek Vigor routers in the wild still vulnerable to CVE-2020-8515. The owners don't want to upgrade because the CLI is familiar. It's a nightmare.
On the detection side, I've added a specific watchlist in Sentinel for User-Agent strings associated with router management interfaces attempting to reach login.microsoftonline.com. Legitimate users shouldn't be routing auth traffic through a router's proxy if configured correctly.
Great snippet. I'd extend that scan to look for DNS changes on the router as well. These groups often change the DNS settings to point to their own resolvers to facilitate the theft or redirect traffic.
Check your DHCP leases and the DNS server IP handed out to clients. If your router is handing out 8.8.8.8 when it should be handing out your internal DC IP, you have a problem.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access