{"id":53840,"date":"2025-07-16T09:52:49","date_gmt":"2025-07-16T13:52:49","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53840"},"modified":"2025-07-16T09:52:49","modified_gmt":"2025-07-16T13:52:49","slug":"save-your-home-router-from-apt-residential-proxy","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/save-your-home-router-from-apt-residential-proxy\/53840\/","title":{"rendered":"Is your router secretly working for foreign intelligence?"},"content":{"rendered":"<p>A recently disclosed <a href=\"https:\/\/www.greynoise.io\/blog\/stealthy-backdoor-campaign-affecting-asus-routers\" target=\"_blank\" rel=\"nofollow noopener\">breach of thousands of ASUS home routers<\/a> goes to show that your home Wi-Fi access point isn\u2019t just useful to you (and possibly <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-protect-wifi-from-neighbors\/39039\/\" target=\"_blank\" rel=\"noopener nofollow\">your neighbors<\/a>) \u2014 it\u2019s also coveted by cybercriminals and even state-sponsored hackers carrying out targeted espionage attacks. This new attack, presumably linked to the infamous APT31 group, is still ongoing. What makes it especially dangerous is its stealthy nature and the unconventional approach required to defend against it. That\u2019s why it\u2019s crucial to understand why malicious actors target routers \u2014 and how to protect yourself from these hacker tricks.<\/p>\n<h2>How compromised routers are exploited<\/h2>\n<ul>\n<li><strong>Residential proxy.<\/strong> When hackers target large companies or government agencies, the attacks are often detected by unusual IP addresses attempting to access the secured network. It\u2019s highly suspicious when a company operates in one country, but an employee suddenly logs in to the corporate network from another. Logins from known VPN-server addresses are equally suspect. To mask their activities, cybercriminals use compromised routers located in the country \u2014 and <a href=\"https:\/\/www.kaspersky.com\/blog\/residential-proxies-risks-and-mitigation\/50991\/\" target=\"_blank\" rel=\"noopener nofollow\">sometimes even in the specific city \u2014 close to their intended target<\/a>. They funnel all their requests through your router, which then forwards the data to the target computer. To monitoring systems, this looks just like a regular employee accessing work resources from home \u2014 nothing to raise any eyebrows.<\/li>\n<li><strong>Command-and-control server.<\/strong> Attackers can host malware on the compromised device for target computers to download. Or, conversely, they can exfiltrate data from the network directly to your router.<\/li>\n<li><strong>Honeypot for competitors.<\/strong> A router can be used as bait (a honeypot) to study the techniques used by other hacker groups.<\/li>\n<li><strong>Mining rig.<\/strong> Any computing device can be used for crypto mining. Using a router for mining isn\u2019t particularly efficient, but when a cybercriminal isn\u2019t paying for electricity or equipment, it still pays off for them.<\/li>\n<li><strong>Traffic manipulation tool. <\/strong>A compromised router can intercept and alter the contents of internet connections. This allows attackers to target any device connected to the home network. The range of applications for this technique is broad: <a href=\"https:\/\/www.kaspersky.com\/blog\/router-malware\/44539\/\" target=\"_blank\" rel=\"noopener nofollow\">from stealing passwords to injecting ads into web pages<\/a>.<\/li>\n<li><strong>DDoS bot.<\/strong> Any home device, including routers, baby monitors, smart speakers, and even smart kettles, can be linked together into a botnet and used to overwhelm any online service with millions of simultaneous requests from those devices.<\/li>\n<\/ul>\n<p>These options appeal to various groups of attackers. While mining, ad injection, and DDoS attacks are typically of interest to financially motivated cybercriminals, targeted attacks launched from behind a residential IP address are usually carried out either by ransomware gangs or by groups engaged in genuine espionage. This sounds like something out of a spy novel, but it\u2019s so widespread that the U.S. Cybersecurity and Infrastructure Security Agency (<a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2024-01\/SbD-Alert-Security-Design-Improvements-for-SOHO-Device-Manufacturers.pdf\" target=\"_blank\" rel=\"nofollow noopener\">CISA)<\/a> and <a href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250507\" target=\"_blank\" rel=\"nofollow noopener\">FBI<\/a> have issued multiple warnings about it at various times. True to form, spies operate with utmost stealth, so router owners rarely ever notice that their device is being used for more than its intended purpose.<\/p>\n<h2>How routers get hacked<\/h2>\n<p>The two most common ways to hack a router are by brute-forcing the password to its administration interface and by exploiting software vulnerabilities in its firmware. In the first scenario, attackers take advantage of owners leaving the router with its factory settings and the default password <strong>admin<\/strong>, or have changed the password to something simple to remember \u2014 and easy to guess, like <strong>123456<\/strong>. Once they crack the password, attackers can log in to the control panel just like the owner would.<\/p>\n<p>In the second scenario, attackers remotely probe the router to identify its manufacturer and model, then try known vulnerabilities one by one to seize control of the device.<\/p>\n<p>Typically, after a successful hack, they install hidden malware on the router to perform their desired functions. You may spot that something\u2019s wrong when your internet slows down, your router\u2019s CPU is working overtime, or <a href=\"https:\/\/www.kaspersky.com\/blog\/router-malware\/44539\/\" target=\"_blank\" rel=\"noopener nofollow\">the router itself even starts overheating<\/a>. A factory reset or firmware update usually eliminates the threat. However, the recent attacks on ASUS routers were a different story.<\/p>\n<h2>What makes the ASUS attacks different, and how to spot them<\/h2>\n<p>The main thing about this attack is that you can\u2019t fix it with a simple firmware update. Attackers set up a hidden backdoor with administrative access that persists through regular reboots and firmware updates.<\/p>\n<p>To start the attack, the malicious actor employs both of the techniques described above. If brute-forcing the admin password fails, attackers exploit two vulnerabilities to bypass authentication entirely.<\/p>\n<p>From this point on, the attack becomes more sophisticated. The attackers use yet another vulnerability to activate the router\u2019s built-in SSH remote management feature. They then add their own cryptographic key to the settings, which allows them to connect to the device and control it.<\/p>\n<p>Few home users ever manage their router using SSH or check the settings section where administrative keys are listed, so this access technique can go unnoticed for years.<\/p>\n<p>All three vulnerabilities exploited in this attack have since been patched by the vendor. However, if your router was previously compromised, updating its firmware won\u2019t remove the backdoor. You need to open your router\u2019s settings and check if an SSH server is enabled \u2014 listening on port 53282. If so, disable the SSH server and delete the administrative SSH key, which starts with the characters<\/p>\n<p><strong><em>AAAAB3NzaC1yc2EA<\/em><\/strong><\/p>\n<p>If you\u2019re not sure how to do all that, there\u2019s a more drastic solution: a full factory reset.<\/p>\n<h2>It\u2019s not just ASUS<\/h2>\n<p>The researchers who discovered the ASUS attack believe it\u2019s part of a <a href=\"https:\/\/blog.sekoia.io\/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse\/\" target=\"_blank\" rel=\"nofollow noopener\">broader campaign<\/a> that has hit around 60 types of home and office devices, including video surveillance systems, NAS boxes, and office VPN servers. Affected devices include D-Link DIR-850L S, Cisco RV042, Araknis Networks AN-300-RT-4L2W, Linksys LRT224, and some QNAP devices. The attacks on these unfold a bit differently, but share the same general features: exploiting vulnerabilities, using built-in device functions to gain control, and maintaining stealth. According to the researchers\u2019 assessments, compromised devices are being exploited to reroute traffic and monitor the attack techniques employed by rival threat actors. These attacks are attributed to a \u201cwell-resourced and highly capable\u201d hacking group. However, similar techniques have been adopted by targeted attack groups around the world \u2014 which is why home routers in any moderately large country are now an enticing target for them.<\/p>\n<h2>Takeaways and tips<\/h2>\n<p>The attack on ASUS home routers displays classic signs of targeted intrusions: stealth, compromise without using malware, and the creation of persistent access channels that remain open even after the vulnerability is patched and the firmware is updated. So, what can a home user do to defend against such attackers?<\/p>\n<ul>\n<li><strong>Your choice of router matters.<\/strong> Don\u2019t settle for the standard-issue router your provider rents out to you, and don\u2019t just shop for the cheapest option. Browse the selection at electronics retailers, and choose a model released within the last year or two so you can be sure to receive firmware updates for years to come. Try to pick a manufacturer that takes security seriously. This is tricky, as there are no perfect options out there. You can generally use the frequency of firmware updates and the manufacturer\u2019s stated period of support as a guide. You can find the latest router security news on sites like <a href=\"https:\/\/routersecurity.org\/RouterNews.php\" target=\"_blank\" rel=\"nofollow noopener\">Router Security<\/a>, but don\u2019t expect to find any \u201cgood tales\u201d there \u2014 it\u2019s more useful for finding \u201canti-heroes\u201d.<\/li>\n<li><strong>Update your device\u2019s firmware regularly.<\/strong> If your router offers an automatic update feature, it\u2019s best to enable it so you don\u2019t have to worry about manual updates or falling behind. Still, it\u2019s a good idea to check your router\u2019s status, settings, and firmware version a few times a year. If you haven\u2019t received a firmware update in 12-18 months, it may be time to consider replacing your router with a newer model.<\/li>\n<li><strong>Disable all unnecessary services on your router.<\/strong> Go through all the settings and turn off any features or extras you don\u2019t use.<\/li>\n<li><strong>Disable administrative access to your router<\/strong> from the internet (WAN) through all management channels (SSH, HTTPS, Telnet, and whatever else).<\/li>\n<li><strong>Disable mobile router management apps.<\/strong> Although convenient, these apps introduce a range of new risks \u2014 in addition to your smartphone and router, a proprietary cloud service will likely be involved. For this reason, it\u2019s best to disable this management method and avoid using it.<\/li>\n<li><strong>Change the default passwords<\/strong> for both router administration and Wi-Fi access. These passwords shouldn\u2019t match. Each should be long and not consist of obvious words or numbers. If your router allows it, change the <strong>admin<\/strong> username to something unique.<\/li>\n<li><strong>Use comprehensive protection for your home network.<\/strong> For example, <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Premium<\/a>\u00a0comes with a <a href=\"https:\/\/support.kaspersky.com\/kaspersky-for-windows\/21.21\/138204\" target=\"_blank\" rel=\"noopener\">smart-home protection module<\/a> that monitors for common problems like vulnerable devices and weak passwords. If your smart home monitoring detects weak spots or a new device on your network that you haven\u2019t previously identified as known, it will alert you and provide recommendations for securing your network.<\/li>\n<li><strong>Check every page of your router\u2019s configuration.<\/strong> Look for the following suspicious signs: (1) port forwarding to unknown devices on your home network or the internet, (2) new user accounts you didn\u2019t create, and (3) unfamiliar SSH keys or any other login credentials. If you find anything like this, search online for your router model combined with the suspicious information you\u2019ve discovered, such as a username or port address. If you can\u2019t find any mention of the issue you discovered as a documented system feature of your router, remove that data.<\/li>\n<li><strong>Subscribe to our<\/strong> <a href=\"https:\/\/t.me\/+hfDEDRUTiLJlOGE8\" target=\"_blank\" rel=\"noopener nofollow\">Telegram channel<\/a>, and stay up to date on all cybersecurity news.<\/li>\n<\/ul>\n<blockquote><p>For more tips on choosing, setting up, and protecting your smart home devices \u2014 along with information on other hacker threats targeting your household electronics \u2014 check out these posts:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/smart-home-zigbee-thread-matter-advice\/47343\/\" target=\"_blank\" rel=\"noopener nofollow\">How to plan your smart home and get the most out of the devices you already own<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-secure-smart-home\/47472\/\" target=\"_blank\" rel=\"noopener nofollow\">How to secure your smart home: an in-depth guide<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/vulnerability-in-smart-home-control-app\/53471\/\" target=\"_blank\" rel=\"nofollow noopener\">How the smart home installed by a developer or property management company can be hacked<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/3-reasons-not-to-use-smart-locks\/47866\/\" target=\"_blank\" rel=\"noopener nofollow\">Three reasons not to use smart locks<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/router-malware\/44539\/\" target=\"_blank\" rel=\"noopener nofollow\">The hidden threats of router malware<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Why advanced attackers are interested in your home Wi-Fi access points, and how they maintain control over your devices.<\/p>\n","protected":false},"author":2722,"featured_media":53841,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[1058,794,187,3025,473,97,660,321,131,174],"class_list":{"0":"post-53840","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-ddos","9":"tag-iot","10":"tag-passwords","11":"tag-proxy","12":"tag-routers","13":"tag-security-2","14":"tag-smart-home","15":"tag-technology","16":"tag-tips","17":"tag-wi-fi"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/save-your-home-router-from-apt-residential-proxy\/53840\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/save-your-home-router-from-apt-residential-proxy\/29145\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/save-your-home-router-from-apt-residential-proxy\/24341\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/save-your-home-router-from-apt-residential-proxy\/29185\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/save-your-home-router-from-apt-residential-proxy\/28331\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/save-your-home-router-from-apt-residential-proxy\/31166\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/save-your-home-router-from-apt-residential-proxy\/39859\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/save-your-home-router-from-apt-residential-proxy\/13569\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/save-your-home-router-from-apt-residential-proxy\/22983\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/save-your-home-router-from-apt-residential-proxy\/24012\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/save-your-home-router-from-apt-residential-proxy\/32438\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/save-your-home-router-from-apt-residential-proxy\/29260\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/save-your-home-router-from-apt-residential-proxy\/35117\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/save-your-home-router-from-apt-residential-proxy\/34756\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/wi-fi\/","name":"wi-fi"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=53840"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53840\/revisions"}],"predecessor-version":[{"id":53846,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53840\/revisions\/53846"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/53841"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=53840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=53840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=53840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}