The UK's National Cyber Security Centre and Microsoft have issued warnings regarding the Russian intelligence-linked group APT28, which is actively exploiting SOHO router vulnerabilities to hijack DNS settings.

Key Points

• The Russian threat group APT28, also known as Fancy Bear or Forest Blizzard, is targeting small office and home office routers to redirect users to malicious websites.
• Microsoft reports that these attacks have compromised over 200 organizations and 5,000 consumer devices globally.
• Attackers modify DNS server settings to capture legitimate user credentials for services like Outlook through fraudulent copycat login pages.
• Specific hardware models from TP-Link, Cisco, and MikroTik have been identified as targets for these ongoing exploitation efforts.
• The NCSC notes that while the activity is opportunistic, it poses significant risks for gathering military intelligence and establishing backdoors for further network infiltration.

Why it Matters

These attacks demonstrate how vulnerabilities in common network hardware can serve as a gateway for sophisticated actors to compromise enterprise environments and sensitive data. Organizations must prioritize patching and securing network devices to prevent attackers from gaining unauthorized access to internal systems and user credentials.