14 DAY TRIAL // French authorities warned that a massive ongoing cyberattack on French organizations is underway targeting home and office routers, says Ars Technica.
According to FireEye the cybercriminal group APT31, also known as Panda and Zirconium, has conducted espionage campaigns against key institutions in the past, including the military, engineering, aviation, media, insurance, finance, construction, telecommunications, and even governments. National Cyber Security Center (NCSC) states that APT is one of three hacker groups backed by the Chinese government that was involved in a recent massive hacking campaign against Microsoft Exchange servers.
The National Agency for Information Systems Security (ANSSI) in France issued a warning to national companies and organizations on Wednesday, alerting them of a large-scale attack campaign involving hacked routers. Simply put, the attacks are carried before being detected and the the intrusions are concealed.
Chinese state-sponsored hackers went on a hacking rampage against a number of French organizations
According to an ANSSI warning, the agency engaged in a major intrusion campaign involving many French organizations. Investigations conducted by the ANSSI show that the threat actor uses a network of compromised home routers to conduct covert recognition and attacks. A chart created by Security Company researcher Will Thomas Cyjax, the IPs are hosted in the following countries,: Thailand, the United Arab Emirates, Egypt, and Egypt, with the highest concentration of IPs being in Russia.
The advisory contains compromise indicators that businesses can use to determine whether or not they have been hacked or otherwise compromised. Although it is unclear whether the 161 IP addresses belong to compromised routers or other Internet-connected devices that were used in the attacks, it is clear that they are associated with the attacks.
Those concerned about their devices should reboot them regularly, as most router malware cannot reboot. Users should also make sure that remote management is turned off and that DNS servers and other configurations have not been maliciously changed unless they are actually needed and locked down. As always, it is a good idea to install firmware updates promptly.