ZuoRAT is a sophisticated multi-tier, router fleet attack targeting home-office routers on an unprecedented scale, and is the most significant widespread attack since Mirai in 2016. Protection is available to SAM Customers.

Tel-Aviv, Israel – June 30, 2022 – Following the announcement issued by Lumen Technologies’ Black Lotus Labs yesterday (6/29/2022), SAM Seamless Network, the global leader of security and intelligence services for unmanaged networks and IoTs, today reveals the extent of the attack and how to protect against it.

Yesterday Lumen research labs published a report outlining a widespread cyber-attack for home and SOHO networks. These attacks were generated by a well-organized group, possibly a state-sponsored organization, which investigated and exploited several vulnerabilities found in routers. It affects the hardware of well-known vendors such as Asus, Cisco, DrayTek and NETGEAR. The list is not exhaustive and other routers may still be compromised. The evidence gathered so far indicates that this group has been planning this attack scenario for months.

ZuoRAT is a multi-tier attack infiltrating home and home-office consumer-grade routers. Once in the network, it exploits vulnerabilities on all connected computers and devices, making it possible for the attackers to commit a very sophisticated attack using two of the most dangerous methods: Man-in-the-Middle (MITM) and Trojan Horse.

With MITM attacks, routers and IoTs in unmanaged networks could be leveraged by perpetrators to position themselves in a conversation between a user and an application. This can allow access to a user’s credentials, bank accounts, social media accounts, an employer’s VPN, browsing history, personal preferences and essentially any online activity that is transmitted via the router. 

Once attackers have gained access to the router they have visibility to everything on the network. The second stage will then be to infiltrate an organization using the injection of a RAT (Remote Access Trojan) onto a PC or corporate laptop, providing the attackers complete freedom to act as they wish and gather all information on the network, including traffic and all existing vulnerabilities – this is all typically the first step in a widespread attack.

Everyone using the compromised home network is at risk. This attack is aimed at consumers and SOHO businesses, but there could also be implications for well-established enterprises as employees working from home (WFH) undermine the security posture of the organization by connecting to corporate networks from infected home environments.

Once the attackers enter the router, they constantly scan the network and connected devices, including corporate PCs, waiting for a time when employees try to access the office network from home to learn which updates are currently installed on the employer’s network and then exploit unpatched vulnerabilities, compromising the entire corporate network.

Internet service providers (ISPs) often adopt DNS solutions at the core network, and although these types of solutions might provide some level of protection against phishing attacks, they leave users exposed to many other types of attacks that require much more dynamic protection at the LAN level. This “local” protection is necessary in order to match the capabilities of sophisticated adversaries and prevent them from spreading malware and related in the network.

The SAM agent is installed directly on the router gateway and then provides deep visibility into the network, which enables the ISP and customer to monitor and track any suspicious activity across all connected devices. The agent uses a unique deception mechanism for router protection that allows it to trick perpetrators.  In addition, one of SAM’s unique capabilities is its ability to respond quickly to new vulnerabilities and patch those within hours of discovery. This capability prevents attacks from spreading to more networks.

In the case of ZuoRAT, the good news is that the SAM agent would protect against this attack. SAM has several mechanisms that block some of the initial activities that were performed by these actors. The even better news is that SAM is platform-agnostic, which means it can be integrated with any router, new or old, to deliver a unified protection layer for the ISP’s entire router fleet.

“We have not seen something of this magnitude since Mirai. In the past few months we’ve seen a huge increase in the number of attacks targeting routers, this is exactly the reason ISPs should recognize the importance of protecting the routers as part of their critical infrastructure. For this reason, we see regulators around the world taking a more active role in protecting networks operating in their countries,” said Sivan Rauscher, CEO of SAM Seamless Networks. “The only way to stop such sophisticated attacks is to have deep network visibility at the CPE-level, without it no one can predict what is going to happen next.”