State cybersecurity agencies around the world are advising extra care over home routers as they could be used in 'China-nexus' covert networks

Just a month after the FCC banned foreign consumer-grade routers that lack the special permissions to be sold, the Cybersecurity and Infrastructure Security Agency (CISA), along with the National Cyber Security Centre (NCSC-UK) and other security orgs, has advised users of their risks. Compromised home routers, it seems, are the new cybersecurity bugbears.

This is because, as CISA puts it: "Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices."

'Covert networks' have supposedly been used "for each phase of their Cyber Kill Chains, from performing scans as part of reconnaissance, to the delivery of malware, communicating with said malware, and exfiltrating stolen data from a victim."

The attackers will exploit vulnerable devices, including home routers, and then sit there, using them as little nodes in their broader covert network infrastructure.

"Covert networks mostly consist of compromised SOHO routers, but they also pull in any vulnerable device they can exploit at scale" says the CISA report. Examples include webcams, firewalls, and NAS devices. If they're end-of-life (EOL) and not receiving security updates, the risk increases.

"If a particular threat group could now come from one of many covert networks," CISA says, "each with potentially hundreds of thousands of endpoints, and each used by multiple threat actors, old network defense paradigms of static malicious IP block lists will be less effective."

"A description of all known covert networks in detail, including how they are constructed and how they communicate, would immediately be out of date."

Last month, the US Federal Communications Commission (FCC) added "all consumer-grade routers produced in foreign countries" to the Covered List, meaning they'll require special permission to be sold in the US. Which, of course, does nothing to solve any compromised routers that are already sitting in homes and offices around the country.

Firmware security company Eclypsium says that, with this and now the CISA advisory, "the message is clear: the SOHO router supply chain is being framed as a meaningful source of cyber risk to U.S. critical infrastructure"

However, Eclypsium says that this is "only part of the picture... a router ban can reduce some risk at the edges. It does not fundamentally change the attacker playbook."

The most important thing, according to Eclypsium, is "defending the enterprise edge of critical infrastructure companies", and one of the biggest gaps on this front is a "lack of device integrity visibility", meaning device trust should be "continuously re-established, not assumed."

In other words, repeated security validation for devices across its entire lifespan. We need to be "continuously validating what is already inside the organization’s walls."

CISA recommends "active hunting" for the most at-risk organisations, sniffing out IP addresses that are likely part of a covert network, and to generally act more dynamically and actively to keep defenses shored up. For organisations that aren't quite as at risk, but still somewhat so, the agency advises things like zero-trust connection policies and IP address allow lists rather than deny lists for remote work.

For organisations that aren't at risk, however, recommendations are broadly what should already be expected, such as understanding what connections you should be seeing and implementing multi-factor authentication.

There are also some more general recommendations, and you probably won't be surprised to see that these include keeping devices up to date and using modern systems and software. For the home user, just ensuring your device is still live and receiving security updates is, as always, the way to go. I wouldn't fancy being a larger organisation having to do much more to deal with these "covert networks", though.