APT28 Harvests Global Credentials by Tampering DNS on Vulnerable SOHO Routers
What Happened — Russian APT28 (Fancy Bear) deployed the “Forest Blizzard” campaign, modifying a single DNS setting on vulnerable small‑office/home‑office (SOHO) routers. The DNS hijack redirects authentication traffic to malicious endpoints, allowing the group to collect thousands of valid usernames and passwords from organizations worldwide. No malware payload is installed; the attack is entirely file‑less.
Why It Matters for TPRM —
- Credential theft occurs at the network‑edge, bypassing endpoint‑centric controls that many third‑party risk programs rely on.
- Compromised routers provide a persistent foothold and can be leveraged for lateral movement into corporate environments.
- Vendors that sell, lease, or manage SOHO networking equipment become indirect attack vectors, expanding supply‑chain exposure.
Who Is Affected — Companies that use unmanaged or outdated SOHO routers for remote sites, branch offices, or VPN termination across any industry (technology SaaS, financial services, healthcare, manufacturing, etc.).
Recommended Actions —
- Conduct an inventory of all SOHO routers and verify firmware is up‑to‑date.
- Enforce strong, unique admin credentials; disable default accounts.
- Implement DNS security measures (DNSSEC, secure resolvers) and monitor DNS traffic for anomalies.
- Segment router management traffic from core corporate networks.
- Require vendors to provide documented hardening guides and automated patching mechanisms.
Technical Notes — Attack vector: exploitation of default/weak credentials and unpatched DNS services on SOHO routers; technique relies on DNS configuration change rather than a malicious binary. Data types exfiltrated: usernames, passwords, SSO tokens, and other authentication credentials. Source: https://www.darkreading.com/threat-intelligence/russia-forest-blizzard-logins-soho-routers