U.S. and Allied Agencies Warn on PRC SOHO Router Intrusions — February 7, 2024
Joint advisory AA24-040A urges network defenders to replace or harden small-office routers targeted by Chinese state-sponsored actors.
Executive briefing: On CISA, FBI, NSA, the Canadian Centre for Cyber Security, and cybersecurity authorities from Australia, New Zealand, and the United Kingdom issued joint Cybersecurity Advisory AA24-040A. The alert details how People’s Republic of China (PRC) state-sponsored actors compromise end-of-life small office/home office (SOHO) routers to stage follow-on operations.
Threat vectors
- Legacy firmware exploitation. Adversaries exploit unpatched vulnerabilities in discontinued Cisco, Netgear, and other router models.
- Credential theft. Attackers harvest and brute-force default or reused administrative passwords to gain persistent access.
- Proxy infrastructure. Compromised routers form a covert network that hides reconnaissance and intrusion traffic targeting U.S. critical infrastructure.
Control alignment guidance
- Asset lifecycle management. Inventory and decommission unsupported SOHO devices consistent with NIST CSF 2.0 and the Cross-Sector Cybersecurity Performance Goals.
- Zero trust network access. Enforce authentication, authorization, and segmentation for remote administrators connecting through edge devices.
- Secure configurations. Apply vendor firmware updates, disable unused services, and rotate credentials in line with CIS Controls IG1 safeguards.
Operational recommendations
- Review the advisory’s indicator of compromise list and block malicious IP addresses, domains, and certificates observed in Volt Typhoon campaigns.
- Deploy continuous monitoring for unusual outbound connections or configuration changes on SOHO routers and VPN appliances.
- Stage replacement programs for unsupported devices, prioritizing assets that provide access to operational technology networks or sensitive data.