As organisations continue to facilitate remote working, threat actors have sought to take advantage and to gain initial access and then further exploit potential victims. Here, we look at what to you should be aware of...

ZuoRAT is a recently discovered remote access trojan (RAT) that was developed to exploit small office/home office (SOHO) routers within North American and Europe.

It is assessed that this activity is attributable to a highly skilled threat actor but there is limited information due to the lack of monitoring of SOHO devices.

Researchers at Lumen technologies have discovered a malicious campaign targeting devices that are often overlooked and not monitored. Historically SOHO devices were used often for leisure or limited business use.

However, with organisations facilitating remote working or ‘bring your own device’ policies, these routers are now in a position to create interaction with an organisation’s main network infrastructure.

It is reported that the campaign has been deployed to target North American and European networks and utilises a RAT dubbed as ZuoRat. More specifically the RAT is a MIPS file (microprocessor without Interlocked Pipeline stages file) which allows the malware to be compiled for SOHO routers.

Once infected, the malware will seek to enumerate the host and local network. From this position, more data exfiltration can potentially occur with man-in-the-middle attacks.

Infected devices can then potentially have further malware downloaded to help achieve the objectives of the threat actor. Three tools identified by Lumen were CBeacon, GoBeacon and Cobalt Strike.

Depending on the environment and the objectives of the threat actor will drive which tool will be used on the infected system, but all three are capable pieces of software that can allow the threat actor to have substantial control over compromised hosts.

There is evidence that devices from large brand names such a ASUS, Cisco, DrayTek and NETGEAR have been infected. However, even this evidence has been limited and no exploit scripts were acquired for any device other than a very specific model, the JCG-Q20 Chinese-made router.

It has been assessed that this activity will continue and is a part of a much larger campaign still yet to be fully uncovered. Furthermore, the yet to be identified threat actor behind these attacks are currently taking advantage of blind spots in cyber security.

The change in tactics aimed at targeting lesser monitored devices is likely to continue and become a more widely used vector of attack.

Organisations should seek to identify defensive measures to protect against attacks targeting their data or infrastructure particularly through devices not owned by the organisations or assured to be on their network.

As such, 'bring your own device' policies should be reviewed and the security posture around these devices hardened.

Policies and procedures relating to remote working should be reviewed more regularly than traditional cyber security policies within organisational infrastructure, given the lack of controls and assurance surrounding assets and networking and the consistently evolving and increasing threat.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).