FBI Sounds Alarm on Rogue Services Targeting Obsolete Routers

Edge devices have become prime targets for cyber threat actors, particularly routers that are no longer receiving security updates and patches, leaving them vulnerable to exploitation.

The FBI recently published a report sharing new findings about threat actors exploiting known vulnerabilities to compromise obsolete routers, also dubbed as end-of-life (EOL) routers in the cyber community.

This specific campaign is associated with Anyproxy and 5Socks, well-known proxy services used by cybercriminals.

The domains of both proxy services appear to have been seized by law enforcement.

FBI has released a FLASH report to publicize indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with Anyproxy and 5Socks proxy services, which sell access to compromised routers & help criminals hide their activities: https://t.co/E82fTtXnRo pic.twitter.com/leT8vShDlp

— FBI (@FBI) May 7, 2025

Cybercriminal Network Associated with Anyproxy and 5Socks

The FBI found that a threat actor had successfully exploited routers that were no longer supported by their vendor, indicating that they likely contained unpatched software vulnerabilities.

While the FBI did not name the manufacturer, the affected models shared by the Bureau could suggest that the impacted routers are from Cisco’s Linksys and Ericsson’s Cradlepoint.

The threat actor’s primary method for exploiting the routers’ vulnerabilities was through remote management software (RMM) that was pre-installed on the devices. They were able to bypass authentication protection and gain shell access to the routers.

Once access to the routers was gained, the cybercriminal installed malware and used the routers in a bot network (botnet) they control to launch coordinated attacks or sell access to the devices as proxy services.

The malware communicated with a command-and-control (C2) server controlled by the threat actor through a two-way handshake between the server and the routers. The C2 server also performed regular check-ins with the routers and opened ports to make them available to users as proxy servers.

These services, associated with the Anyproxy and 5Socks proxy networks, could then be utilized by other cybercriminals to conceal their tracks while engaging in illicit activities online.

While the FBI did not make any attribution at this time, the advisory noted, “Chinese cyber actors are also among those who have taken advantage of known vulnerabilities in end-of-life routers or other edge devices to establish botnets used to conceal hacking into US critical infrastructure.”

Read more: Chinese Hackers Implant Backdoor Malware on Juniper Routers

FBI Recommends Upgrading Routers to Newer Models

“Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices,” noted the FBI.

Therefore, the Bureau advised replacing any routers vulnerable to known flaws with newer models or else disabling the remote administration of the said routers and rebooting them.

OpenEoX: Standardizing End-of-Life Disclosures

This FBI advisory comes a few days after a coalition of major tech vendors, including Cisco, Microsoft and IBM published a new update on ‘OpenEoX,’ a framework supported by the OASIS Open consortium to standardize the way companies announce when their products will no longer receive security patches or support.

The draft standard, released through the OASIS standards body, aims to address the issue of end-of-life notices being scattered, inconsistently worded and hard to track, which can cause significant problems for organizations running outdated software or hardware.

The OpenEoX framework proposes a shared data format that can be integrated into software bills of materials (SBOMs), security advisories and other cybersecurity documents.