Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.
Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release.
Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.
Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.
“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop.
“Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added.
GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur.
The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities.
“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said.
“It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.”
GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others.
“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”
GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report.
“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said.
“When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added.
The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.”
This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris.
“People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.”
The post Network ‘background noise’ may predict the next big edge-device vulnerability appeared first on CyberScoop.
The recent FBI-led operation to knock Russian government hackers off routers sought to topple an especially insidious and threateningly contagious cyberespionage campaign, top bureau cyber official Brett Leatherman told CyberScoop.
Researchers, along with U.S. and foreign government agencies, revealed details of the campaign this week by which APT28 — also known as Forest Blizzard or Fancy Bear, and attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) — compromised more 18,000 TP-Link routers and infiltrated more than 200 organizations worldwide.
The compromise of routers used in small and home offices prompted the takedown operation, Operation Masquerade, which involved sending commands to the routers to reset Domain Name System (DNS) settings to prevent the hackers from exploiting that access.
“What’s unique to me in this one is that when you change the internet settings in a router like they did, it propagates to all the devices in your house,” Leatherman, assistant director of the FBI’s cyber division, said. “All those devices now, once they’re connected to that Wi-Fi, are getting the malicious IP addresses that they are then routing their traffic through, and it gives the Russian GRU tremendous access to the content offered through a router itself.”
“The difficulty in an attack like this is that it’s virtually invisible to the end users,” he said. “Actors were not deploying malware like we often see. And so when you think about endpoint detection on your computer or something like that, it’s not seeing that activity because they don’t have to. They’re using the tools on the router itself to capture your internet traffic and extend it throughout the house, and so traditional tools that detect that activity [are] just not there.”
The disruption operation is in line with the cyber strategy the Trump administration published last month, with its emphasis on going on offense against malicious hackers and protecting critical infrastructure, Leatherman said.
The FBI understands its role in implementing that strategy, he said, and worked with the Office of the National Cyber Director and other agencies in developing it. The White House has kept the public and Capitol Hill in the dark about strategy implementation, however.
“We’ve got a long track record of leveraging unique authorities and capabilities to counter these actors, to impose costs, and through the 56 field offices to really defend critical infrastructure,” Leatherman said. “That’s part of our DNA, really. And so we want to make sure that we continue to align that in the most scalable and agile way we can, to align with the priorities of the strategy itself.”
Leatherman traced how Operation Masquerade — the success of which he credited to the FBI’s Boston offices and partnerships with the private sector and foreign governments — fits into a series of disruptions aimed at Russian government hackers dating back to 2018.
That’s when the bureau took on the VPNFilter botnet by seizing a domain used to communicate with infected routers. In 2022, the FBI took on the Cyclops Blink botnet, and in 2024, Operation Dying Ember went after another botnet.
“”Over the course of those four operations, while the adversary continued to evolve in their tradecraft, so did we,” Leatherman said. “We moved from just sinkholing domains to actually taking steps that block them at the door of these routers, pulled any capability off of those routers so they were no longer able to collect the sensitive information, and then prohibited them from getting back in.”
The post Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’ appeared first on CyberScoop.
The Federal Communications Commission’s move to ban foreign-made routers touches on a real threat, but critics say the agency rule is overly broad, practically unworkable and doesn’t meaningfully address weaknesses in router security that have led to major breaches on American governments and businesses.
Under the Secure Equipment Act and Secure Networks Act, the FCC may ban foreign technology manufacturers if they are deemed a national security risk. But the federal government has almost always opted to narrowly target specific foreign companies with known or problematic connections to foreign adversaries, like Chinese telecom Huawei or Russian antivirus firm Kaspersky Labs.
The restrictions announced Monday, however, simply ban all routers “produced in a foreign country” except those granted conditional approval by the departments of Defense or Homeland Security.
The order imposes a sweeping and immediate halt to the purchase of non-American routers and Wi-Fi services for government agencies and businesses, along with unanswered questions about where to buy next and what to do with the foreign devices already embedded in their networks.
In justifying the decision, FCC Chair Brendan Carr cited a March 20 White House-led interagency report that concluded foreign-made routers pose “unacceptable” risks to U.S. national security.
“Following President Trump’s leadership, the FCC will continue [to do] our part in making sure that U.S. cyberspace, critical infrastructure, and supply chains are safe and secure,” Carr said.
U.S. policymakers have worried about the potential cybersecurity risks of relying on technology and equipment from countries like China or Russia, where local laws compel domestic companies to cooperate in national security investigations and hand over sensitive data.
In 2024, members of Congress called for the Department of Commerce to investigate Chinese Wi-Fi and router makers like TP-Link, alleging the company’s “unusual degree of vulnerabilities and required compliance with [Chinese] law” amounted to an unacceptable national security risk.
Last year, five House Republican committee chairs urged Commerce Secretary Howard Lutnick to use the department’s authority “to eliminate products and services created by China and other foreign adversaries from domestic supply chains that are shown to have the potential to introduce security vulnerabilities.” An attached list of industries “needing immediate action” included routers and Wi-Fi, while mentioning TP-Link and Huawei as “Chinese or Chinese-controlled” entities.
While router insecurity is a major problem, it’s worth noting that American-made products are far from immune to foreign hacking. Major Chinese hacking campaigns, such as Salt Typhoon, succeeded not because of backdoors in Chinese-made tech but through the exploitation of known, previously reported vulnerabilities in U.S. and Western products.
One former U.S. intelligence leader told CyberScoop that country of origin matters more when you’re dealing with an adversary like China, which has national security and vulnerability disclosure laws that require Chinese router companies to disclose cybersecurity vulnerabilities to the government first.
But it’s not just Chinese routers, or those made by America’s direct rivals, that concern intelligence officials.
Even in a global, digitally connected world, proximity still matters. Foreign countries can more easily disrupt or infect the supply chain of neighboring or bordering countries that may rely on similar parts, components or internet infrastructure.
“Attackers have so many options with what can be done with router access. [It’s] even easier if you have the country that runs and accesses them in your backyard,” said the official, who requested anonymity to speak candidly.
Investors may be drawing similar conclusions. Notably, stocks for Asian router companies fell following the FCC announcement, while U.S. company NetGear, which does not rely on Chinese supply chains, saw its shares jump 12%.
The broad nature of the order — along with the ability to dole out exemptions to specific companies at will — effectively resets the regulatory relationship between foreign router companies and the U.S. government. Under it, each company with manufacturing operations in China or overseas would have to petition the FCC for an exemption to the rule.
The ambiguity behind what, specifically, a company would need to do to obtain an exemption could open the process up to potential abuse or political patronage, experts said.
A former FCC official told CyberScoop they were puzzled by the move, and questioned whether it was related to national security or if it would even pass legal muster in the courts.
Instead of adding targeted companies with foreign ties or a history of cybersecurity vulnerabilities to the list of banned providers — as the government has done and successfully defended in court in the past — the FCC instead sought to ban all foreign-made routers around the globe. That represents a potentially significant disruptive action to take in an environment where many businesses and governments today use TP-Link and other foreign companies for their internet needs.
The net effect is “actually creating a new federal program of conditional approvals” for foreign router companies, the FCC alum said, one that is so broad it would take a massive combined federal effort to effectively remove bad actors from the foreign supply chain.
“I have a hard time believing that this administration — given what we’ve seen at CISA and other agencies and the mass departures — will actually roll out a sophisticated and tailored program to adequately address this kind of huge swing of an entire base of consumer products,” said the official, who was granted anonymity to speak candidly.
The official pointed to an attempt earlier this year by the FCC to ban imports of foreign drone components, saying there were similar “big swing” parallels to the legal rationale here. The drone ban is currently being challenged in court, and the official said they expect the FCC’s router order to be subject to similar lawsuits from companies.
Earlier this month, Carr also proposed new regulations that would place English language requirements on offshore call centers and asked the public for insight on potential policies to “encourage” companies to set up U.S.-based call centers, “including limits on call volume from overseas call centers.”
Carr said the FCC was also “opening up a new front in our efforts to block illegal robocalls from abroad by examining the targeted use of tariffs or bonds.”
The former FCC official said Carr’s prioritization on novel application of tariff authorities while discussing the implementation of two laws — the TRACED Act and the Truth In Caller ID Act — that are unrelated to trade makes it impossible to disentangle the agency’s genuine national security concerns from the Trump administration’s broader attempts to gain leverage over foreign companies in their trade fights.
“Those are weird kind of random hops that seem to be in response to this broader picture of the big tariff decision that came out,” the official said.
The post Critics call FCC router rule a ‘big swing’ that could create more supply chain uncertainty appeared first on CyberScoop.
Ethan Robish // In this series of posts, I’ll discuss how I segmented my home network using VLANs and how I moved away from using a risky consumer-grade router at […]
The post Home Network Design – Part 1 appeared first on Black Hills Information Security, Inc..
Login