Update - Thursday, April 8, 12 pm ET: TP-Link has provided the following statement to Tom's Hardware: “TP-Link takes the threat of cyberattacks on network devices very seriously. TP-Link devices referenced in the reporting reached End of Service and Life (EOSL) status several years ago, the full list of models impacted can be found here https://www.tp-link.com/uk/support/faq/5058/. While these products are outside of our standard maintenance lifecycle, TP-Link has developed security updates for select legacy models where technically feasible. To ensure these updates take place, we recommend following the advice listed on the security advisory. We encourage customers using legacy or EOSL devices to upgrade to currently supported hardware that receives regular security updates. As immediate precautions, users should update to the latest available firmware, disable remote management, use strong and unique administrator passwords, and restrict device access to trusted internal networks only.”
The UK National Cyber Security Centre (NCSC) on Tuesday published an advisory warning that Russian state hacking group APT28 has been exploiting vulnerable small office and home office (SOHO) routers since 2024 to overwrite their DHCP and DNS settings, redirecting downstream traffic through attacker-controlled DNS servers to harvest passwords and authentication tokens for web and email services. The NCSC assesses that APT28 is "almost certainly" the Russian Main Intelligence Directorate (GRU)'s 85th Main Special Service Centre, Military Intelligence Unit 26165.
Lookups for domains tied to targeted services, such as login pages, get pointed to further attacker-owned IPs that host adversary-in-the-middle infrastructure. Meanwhile, requests outside the targeting criteria are resolved to the legitimate addresses to avoid breaking the connection.
Article continues belowOnce a victim connects through the attacker's infrastructure, APT28 attempts to capture passwords and OAuth or similar authentication tokens from both browser sessions and desktop applications. Targeted domains listed in the advisory include autodiscover-s.outlook.com, imap-mail.outlook.com, outlook.live.com, outlook.office.com, and outlook.office365.com.
The TP-Link WR841N router is named by the NCSC as one of the models APT28 has been exploiting, likely using CVE-2023-50224, an unauthenticated information disclosure flaw that allows an attacker to retrieve credentials through an HTTP GET request. When the threat actor has the router’s credentials, a second GET request rewrites the DHCP DNS settings, setting the primary DNS to a malicious IP and the secondary to the original primary.
The advisory lists more than 20 additional TP-Link models targeted in the campaign, including the Archer C5 and C7, the WDR3500, WDR3600, and WDR4300, the WR1043ND, the MR3420 and MR6400 LTE routers, and several variants of the WR740N, WR840N, WR841N, WR842N, WR845N, and WR941ND. A second cluster of attacker infrastructure received DNS requests forwarded from compromised MikroTik routers as well as TP-Link gear, and was also used in interactive operations against a smaller set of MikroTik routers "often located in Ukraine" that the NCSC said were likely of intelligence value.
The NCSC describes the campaign as opportunistic, with APT28 casting a wide net across exposed routers and then filtering the resulting victim pool for targets of intelligence interest at each stage. In terms of mitigation, the NCSC recommends the usual advice of keeping router firmware updated, never exposing management interfaces to the internet, and enabling multi-factor authentication on accounts that could be vulnerable to credential theft.
APT28, also tracked as Fancy Bear, Forest Blizzard, and Sofacy, has previously been linked by the NCSC to the 2015 hack of the German Bundestag and the 2018 attempted intrusion at the Organisation for the Prohibition of Chemical Weapons.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
