When was the last time you updated your router? If you’re not sure, you’re not alone, and this uncertainty could pose a serious risk to your business.
The FBI recently warned that malicious actors are targeting end-of-life (EOL) routers (network devices that manufacturers no longer support or update). These outdated routers are being hijacked by bad actors who use them as a stepping stone into networks, turning them into cybercriminal proxies. The threat is real, and it’s growing.
The weapon of choice behind many of these attacks is a sophisticated strain of malware known as TheMoon, which has been stealthily infecting vulnerable routers for more than a decade. With remote administration enabled and zero patch support, these devices are low-hanging fruit for malefactors who want to fly under the radar.
Ignoring this risk is highly dangerous for entities, particularly those encumbered with legacy infrastructure or remote sites.
Understanding TheMoon Malware and Its Impact
TheMoon malware has evolved since it was first discovered over ten years ago. It has adapted to exploit various vulnerabilities in router firmware. Unlike ransomware or attacks that aim to damage or destroy systems, it runs secretly, transforming the infected router into a proxy node as part of a more extensive botnet.
Let’s take a closer look at how this works.
A proxy is a type of server that sits between a user and the Web. Its role is to conceal a user’s actual IP address and substitute it with a different one, say, from an infected router. For malicious actors eluding capture (whether they want to exfiltrate data, launch attacks, or do something illegal), anonymity is critical, and proxies afford them just that.
The danger doesn’t end there. This scourge searches the web for unprotected routers with accessible ports. When it discovers one, it transmits commands that do not require authentication. Following that, it connects to a command-and-control (C2) server. This instructs the compromised router to seek additional potential victims, further widening the botnet. These devices end up being unwitting participants in a sprawling underground cyberinfrastructure.
This is particularly worrisome because routers infected with TheMoon will likely carry on functioning normally for some time. Users might notice intermittent connectivity issues, unexplained changes in configurations, or devices that start overheating. But these signs are often overlooked or misinterpreted.
Mitigation Strategies and Best Practices
Now for the good news: you can do something about this.
The FBI’s Public Service Announcement outlines the threat and offers clear, actionable steps that firms and individuals can take to shrink their exposure.
Replace End-of-Life Routers Immediately
The most critical step is also the most obvious: retire EOL routers. These devices are sitting ducks if the manufacturers no longer provide firmware updates or security patches. Many routers built before 2010 fall into this category and should be replaced with modern models that get ongoing support.
Disable Remote Administration
IT teams sometimes leave remote management features on by default without thinking, which has made this a popular vector. Disable this setting unless absolutely necessary. Log in to your router’s settings, turn off remote access, and reboot the device to apply the change.
Apply Security Patches and Firmware Updates
For routers still under support, be certain you’re running the latest firmware. Set a recurring reminder to check for updates, or enable automatic updates if available. Firmware patches usually contain fixes for known vulnerabilities, and delaying updates can mean the difference between safe and compromised.
Use Strong, Unique Passwords
Default credentials are one of the easiest ways attackers get in. Update your router’s admin password to something strong, unique, and random. Try for 16–64 characters using a combination of letters, numbers, and symbols. Never reuse passwords across devices or systems, as threat actors count on this.
Monitor for Signs of Compromise
Watch for unusual behavior; network slowness, unknown devices on your network, or altered settings could be red flags. If you suspect compromise, apply any available updates, change your passwords, and reboot your router immediately.
Report Suspicious Activity
If you believe your device has been compromised or used as a proxy for malicious activity, report it to the FBI’s Internet Crime Complaint Center (IC3). Include as much detail as possible to help investigators track and disrupt the broader botnet operations.
Proactive Steps Toward Enhanced Network Security
Outdated network equipment is a security liability. End-of-life routers no longer receive the software updates needed to protect against emerging threats. As a result, they are easy targets for sophisticated malware like TheMoon, which exploits router vulnerabilities to build proxy networks that shield cybercriminals from detection.
At a time when digital infrastructure underpins almost every part of business operations, securing the edge of your network is essential.
As part of more comprehensive cybersecurity hygiene, organizations need to regularly audit their networking and telecommunication equipment and remove non-supported devices. It goes beyond just patching servers and securing endpoints. Your router, that unassuming piece of technology sitting in the corner of your office, might very well be the weakest link in your chain of defenses.
The lesson is clear: don’t let outdated hardware become an open door for cybercriminals. Take action to strengthen your network security and shut down potential entry points before they’re exploited.
Because when it comes to cybersecurity, what you don’t know (or forget) can hurt you.
Next Steps:
- Do an inventory of all networking equipment, including routers at branch offices and remote sites.
- Create a replacement roadmap for devices approaching or at EOL.
- Review router settings, disable remote management, and apply the latest firmware.
- Train IT teams to look out for early signs of malware activity and report incidents quickly.
Don’t wait for a breach to rethink your router strategy. A secure network starts with secure hardware.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
