1. Forum
  2. FidoNet
  3. CONSPRCY

  • UK, MS warn Russian hacke

    From Mike Powell@1:2320/107 to All on Wednesday, April 08, 2026 09:58:35
    'This puts organizations at risk of credential theft, data manipulation and broader compromise': UK government, Microsoft warn Russian hackers are
    hitting TP-Link home routers to hijack internet traffic

    Date:
    Wed, 08 Apr 2026 10:24:24 +0000

    Description:
    SOHO endpoints are being used as gateways into corporate environments, where credentials and sensitive data gets harvested.

    FULL STORY
    Russian state-sponsored threat actors are targeting poorly
    protected Small Office/Home Office (SOHO) devices and using them to pivot
    into enterprise and corporate environments, experts have claimed.

    A report from Microsoft Threat Intelligence has warned about a large-scale attack by Forest Blizzard (AKA APT28) targeting TP-Link routers. So far, more than 200 organizations and more than 5,000 consumer devices have been
    impacted by the attack, Microsoft said, noting the group is mostly interested in cyber-espionage and intelligence gathering. The campaign apparently
    started in August 2025, and instead of targeting corporate networks directly, Forest Blizzard focused on edge devices such as home routers, which often
    lack strong security controls and oversight present in enterprise
    environments.

    Microsoft did not explicitly say how the attackers break into these endpoints but suggests they might have default or easy-to-crack passwords or known but unpatched vulnerabilities that can easily be exploited.

    Once inside, they change the devices configuration to route Domain Name
    System (DNS) traffic through infrastructure they control, allowing them to monitor, and even influence, how infected devices resolve domain names.

    By operating at this upstream level, APT28 gained broad visibility into
    network activity across both consumer and enterprise environments. This not only allows them to conduct passive surveillance at scale but also prepares
    the terrain for more targeted follow-on attacks against organizations of
    higher value.

    The DNS acts like the internets address book. So, instead of sending requests to legitimate DNS servers, compromised devices are actually being redirected
    to servers under the attackers control. In more targeted cases, the threat actors would manipulate DNS responses to redirect victims to fake versions of legitimate services, resulting in whats known as an Adversary-in-the-Middle (AitM) attack.

    This, in turn, allows APT28s operatives to intercept data as it moves between the user and the real service.

    If the victim ignores browser warnings about invalid security certificates (which, truth be told, many of us often do), the attackers may be able to capture sensitive information, including login credentials and emails.

    The campaign affects a wide range of sectors, Microsoft
    stressed, including government agencies, information technology, telecommunications, and energy. While thousands of home and small office devices were compromised, Forest Blizzard appears to use the most intrusive follow-on attacks selectively, focusing on high-value targets.

    They use AitM attacks to intercept emails and cloud data, but the sheer
    number of compromised devices give them a lot of maneuver space, for possibly larger-scale campaigns in the future.

    While the number of organizations specifically targeted for TLS AiTM is only
    a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actors broad access could enable larger-scale AiTM attacks, which might include active traffic interception, Microsoft warned.

    Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft
    has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.

    To defend against DNS hijacking, Microsoft advises organizations enforce trusted DNS servers, block malicious domains, maintain DNS logs, and avoid
    SOHO devices in corporate networks.

    For AiTM and credential theft, they recommend centralizing identity
    management, enabling Single Sign-On, enforcing multifactor authentication
    (MFA) and passkeys, applying Conditional Access policies, and monitoring
    risky sign-ins with continuous access evaluation. Organizations should log identity activity, protect privileged accounts with phishing-resistant MFA,
    and follow Microsofts incident response best practices for recovering from systemic identity compromises. Network protection via Microsoft Defender for Endpoint is also recommended to block malicious sites.

    Link to news story: https://www.techradar.com/pro/security/this-puts-organizations-at-risk-of-cred ential-theft-data-manipulation-and-broader-compromise-uk-government-microsoft- warn-russian-hackers-are-hitting-tp-link-home-routers-to-hijack-internet-traff ic

    $$
    --- SBBSecho 3.28-Linux
    * Origin: Capitol City Online (1:2320/107)