Loading...
Loading...
Security firms and national agencies warn that Russia-linked APT28 (Fancy Bear/Forest Blizzard) has compromised tens of thousands of mostly MikroTik and TP-Link consumer routers worldwide to manipulate DNS and intercept traffic. By exploiting long-standing vulnerabilities and hijacking DNS, attackers redirected victims to attacker-controlled servers to harvest credentials, OAuth tokens and TLS-protected sessions—enabling account takeovers that bypass MFA and target governments, law enforcement and enterprises. The campaigns highlight persistent risks from unpatched edge devices, supply-chain and perimeter weaknesses, and the ease with which router compromises can facilitate large-scale credential theft and downstream intrusions, prompting urgent mitigation guidance for network operators.
Researchers at Lumen Technologies’ Black Lotus Labs say Russia’s GRU-linked APT28 has compromised an estimated 18,000–40,000 consumer routers, mainly MikroTik and TP-Link devices across 120 countries, to harvest credentials and enable espionage. The attackers used a small set of hijacked routers as proxies to pivot into a far larger set of targets, manipulating DNS lookups for selected sites — reportedly including Microsoft 365 domains — to capture passwords and tokens. APT28 (aka Pawn Storm/Sofacy/STRONTIUM) leveraged long-standing, technically adept tradecraft to blend router compromise with targeted interception of government and law-enforcement traffic. The operation underscores persistent supply-chain and perimeter weaknesses in consumer networking gear and the risks of unmanaged devices for enterprise and national security.
Microsoft says a device-code phishing campaign, linked to the EvilTokens kit, is compromising hundreds of organizations daily by automating and weaponizing OAuth device-code flows to bypass MFA and steal corporate email and financial data. Since mid-March researchers observed 10–15 distinct campaigns per day that use GetCredentialType reconnaissance, AI-generated, hyper-personalized lures (RFPs, invoices), and chained redirects through compromised legitimate domains and serverless platforms to evade detection. Post-compromise activity focuses on finance personas with automated email exfiltration. The campaign demonstrates escalation in attacker sophistication by combining device-code abuse, automation, cloud infrastructure misuse, and phishing-as-a-service, raising urgent detection and defense challenges for Microsoft 365 tenants and broader identity security.
Security firms and Microsoft say a Russia-linked APT28 group dubbed Forest Blizzard hijacked DNS settings on more than 18,000 mostly end-of-life SOHO routers to siphon Microsoft Office OAuth authentication tokens. Lumen’s Black Lotus Labs and Microsoft found the GRU-backed attackers exploited known Mikrotik and TP-Link flaws to point victims to attacker-controlled DNS servers, enabling post-compromise adversary-in-the-middle interception of TLS sessions and OAuth tokens—bypassing credentials and MFA without installing malware. Targets included government ministries, law enforcement and third-party email providers, and Microsoft reported over 200 affected organizations and 5,000 consumer devices. The campaign highlights risks of unpatched edge devices and DNS hijacking as a low-tech but high-impact avenue for account takeover.
The UK National Cyber Security Centre warned that Russia-linked APT28 (Fancy Bear/Forest Blizzard) continues to exploit vulnerabilities in SOHO and enterprise routers to change DNS settings, redirecting users to attacker-controlled clone sites to harvest credentials. Microsoft corroborated the activity, saying over 200 organizations and about 5,000 consumer devices have been impacted; affected vendors named include TP-Link, MikroTik and previously Cisco. The NCSC says the campaign, monitored since 2021, appears opportunistic and can also enable downstream compromise of laptops and phones, provide footholds for follow-on malware or DDoS operations, and yield intelligence value especially in Ukraine. Authorities urged operators to apply mitigations and follow published guidance to protect network devices.
Ryan Gallagher / Bloomberg : The UK says Russia-linked hacking group APT28 is hijacking popular internet routers from MikroTik, TP-Link, and others to steal credentials and redirect traffic — Russian government-linked hackers are compromising popular internet routers to steal passwords for email accounts and other online services …