Network for Rent: How Outdated Router Security Fuels Cybercrime

Outdated routers are no longer just a nuisance. According to a recent FBI warning, they’ve become the launchpad for a global cybercrime infrastructure-for-hire. The culprit: TheMoon malware, which turns vulnerable routers into anonymous entry points for malicious activity. This issue highlights a critical area of cybersecurity that is too often overlooked: router security.

This article is based on a recent episode of Cyberside Chats, a weekly video podcast produced by our team at LMG Security.

What Is TheMoon Malware, and Why Should You Care?

On May 7th, the FBI issued a warning that hackers are targeting end-of-life routers, bringing renewed attention to router security risks. At the center of the alert is TheMoon malware, which targets end-of-life routers made by vendors like Linksys, Cisco, and ASUS. Once infected, these devices become part of a massive global botnet known as Faceless, used by criminals to hide their operations behind seemingly legitimate internet traffic.

Why does that matter? Because attackers can now rent ‘clean’ domestic IP addresses from these compromised routers, they can bypass traditional IP-based defenses, making traditional defenses like IP filtering, reputation checks, and geofencing less effective. “If they want the attack to come from Houston, it can; if they want it to come from New York, it can come from New York,” Matt Durrin, LMG Security’s director of training and research, shared. “They have taken over so many of these devices across the world that they can realistically break through any geofence that a company has set up.”

Case Study: The Faceless Proxy Network

The Faceless proxy service has grown to include over 40,000 infected routers across 88 countries, with a staggering 80% based in the United States. Attackers rent access to these devices to:

• Evade detection during malware delivery
• Route command-and-control (C2) traffic
• Bypass credential protections and authentication systems

No authentication is required. No scrutiny. Just instant access to U.S. IPs that blend in perfectly with legitimate traffic.

It’s a setup reminiscent of the infamous Mirai botnet, which exploited DVRs and IoT devices to launch massive DDoS attacks. Only this time, attackers are monetizing the network directly, selling clean traffic streams to other criminals. This underscores the growing importance of strong router security throughout our global technology ecosystem.

Operation Moonlander: A Temporary Victory

In a joint operation dubbed Operation Moonlander, international authorities recently took down two of the largest proxy service marketplaces—5Socks and AnyProxy. These platforms had been operating for nearly 20 years, earning over $46 million by selling access to compromised routers.

While this takedown disrupted Faceless operations, the underlying infected devices are still in the wild—and will be repurposed in new proxy networks unless they’re physically replaced. Router security isn’t about responding to one botnet—it’s about preventing the next one.

Router Security for Organizations: Why It’s More Than Just a Homeowner Issue

You might be thinking: “So what if an old home router gets compromised?” The reality is that router security impacts your organization’s security. “Just because there’s not a published security vulnerability does not mean there’s not a security vulnerability, especially with older routers,” according to Sherri Davidoff, founder of LMG Security.

Here’s how:

1. Trusted IP addresses are no longer trustworthy
   A compromised router in someone’s living room can now serve as a proxy for ransomware operators. When that traffic hits your perimeter, it looks safe—because it’s coming from a residential U.S. IP.
2. Remote workers and vendors expand the attack surface
   Employees logging in from home, third-party vendors with legacy gear, and unmanaged remote offices may all be using vulnerable hardware.
3. IP allowlists, geofencing, and DNS filters fall short
   If you’re relying on static IP controls or geographic restrictions to block intrusions, you’re probably missing these attackers.

Your network is only as strong as its weakest endpoint. That includes unmanaged hardware at remote offices or employee homes, third-party vendor gear, and forgotten devices in storage closets.

How to Strengthen Router Security: 5 Steps Your Organization Should Take Now

To safeguard your organization, here are five actionable strategies recommended by LMG Security’s experts:

1. Replace End-of-Life Routers

Legacy routers—especially those manufactured before 2015—must be phased out. Even if they’re still functioning, they’re likely unpatched, unsupported, and exploitable. Start by auditing:

• • Branch office infrastructure
  • Vendor-provided networking equipment
  • Remote employee setups

Comprehensive router security starts with eliminating the easy targets.

2. Restrict Remote Administration

Default settings can be fatal. Never expose admin interfaces on the open internet. Improve router security by:

• • Turning off remote admin unless absolutely necessary
  • Restricting access by IP address
  • Using VPNs and enforcing MFA

Attackers frequently scan for exposed admin interfaces. Don’t make it easy for them.

3. Harden and Patch Infrastructure

Apply firmware updates regularly—yes, even for “non-critical” devices. And for routers or IoT gear that can’t be upgraded:

• • Segregate them onto isolated VLANs
  • Monitor network traffic for unusual patterns
  • Phase out unsupported hardware systematically

Strengthen router security by disabling unused services, setting strong admin passwords, and applying vendor security guidance. The LMG Security team also suggests using a continuous attack surface management solution that can significantly reduce your risk and incorporate stronger, verified patch management.

4. Don’t Trust Domestic IPs

Because 80% of proxy nodes are U.S.-based, traditional trust models are broken for US organizations. Enterprise router security must evolve beyond basic IP allowlists.

• • Use proxy detection tools and services
  • Integrate threat intel feeds that flag proxy traffic
  • Monitor for anomalous access from “trusted” regions

Geofencing alone is no longer a viable defense.

5. Monitor, Log, and Report Proxy Abuse

Treat proxy networks like Faceless as part of your organization’s threat attack surface. Add IOCs from the FBI and other reputable sources into your SIEM. Look for:

• • High-volume traffic from residential blocks
  • Anomalous remote access patterns
  • Misuse of trusted accounts through unexpected IP ranges

And above all, report suspicious activity to IC3.gov—including IP addresses, timestamps, and device types—to assist in broader investigations.

Final Thoughts: The Internet Is a Shared Space

As we discussed on Cyberside Chats, security isn’t just about firewalls and passwords—it’s about shared responsibility. Grandma’s router might be hijacked to attack your infrastructure. Your cousin’s outdated Linksys might be a proxy for a phishing campaign against your employees. Our entire digital ecosystem is connected, and router security is a shared responsibility across businesses, individuals, and vendors.

We’re all in this together.

To reduce your organization’s risk, you need to take proactive steps to update infrastructure, restrict access, and integrate advanced threat intelligence. You can also help by encouraging employees and colleagues to maintain high router security standards both at work and at home, reinforcing collective cybersecurity resilience.

If you need help strengthening your organization’s cybersecurity posture and router security, we can help. From penetration testing to risk assessments and vCISO services, contact our friendly team of experts for a cost-effective plan to reduce your risk of a data breach.