Blog

  2. Home
  3. Blog
  4. Others
  5. Former Black Basta Members Now Exploit Routers in New Cyberattacks – Here’s What You Need to Know
12 June 2025

Former Black Basta Members Now Exploit Routers in New Cyberattacks – Here’s What You Need to Know

Former Black Basta Members Now Exploit Routers in New Cyberattacks – Here’s What You Need to Know

Cybercrime doesn’t retire—it reinvents.

In the ever-evolving world of cybersecurity, attackers are constantly shifting tactics to find new weak points. Recent threat intelligence reports have revealed that former members of the Black Basta ransomware group—once known for crippling organizations with double-extortion attacks—have pivoted from traditional endpoints and servers to a more insidious target: enterprise routers.

This isn’t just a new trick. It’s a paradigm shift. And it’s happening right now.

At DigiALERT, we’ve been closely monitoring this disturbing trend, and what we’re seeing is a clear escalation in router-based attacks—sophisticated, stealthy, and devastatingly effective.

Let’s break it down.

What’s Happening? A New Wave of Router Exploits

Until recently, routers were treated more like utilities than potential attack surfaces. Often installed and forgotten, they rarely received the same level of security attention as servers or endpoints. That’s what makes them a perfect target for advanced threat actors.

Now, former Black Basta operatives have started exploiting these neglected devices, using them as backdoors into enterprise environments.

Here’s how it works:

  • Attackers scan the internet for routers with unpatched vulnerabilities or default credentials.
  • Once compromised, they intercept internal network traffic, move laterally, and identify key assets.
  • The end goal remains the same: ransomware deployment and data exfiltration—but the attack vector is brand new.

This method gives attackers a low-detection, high-impact entry point. Traditional EDR (Endpoint Detection and Response) and antivirus tools simply don’t monitor routers.

That’s why this threat is growing—and fast.

The Data: Why Router Exploits Are on the Rise

The scale of the problem is alarming. Recent cybersecurity studies and threat reports paint a clear picture of how serious the situation has become:

  • 60%+ of enterprise routers in use today have at least one known unpatched vulnerability.
  • Router-based cyberattacks have increased by over 40% in the past 12 months, according to threat monitoring data.
  • Default admin credentials are still being used in nearly 25% of deployed routers, providing attackers with an open door.
  • Once inside, attackers remain undetected for an average of 21 days, giving them ample time to pivot, map internal networks, and prepare payloads.

These statistics should raise immediate red flags for CISOs, IT admins, and business leaders alike.

Who’s Behind This Shift?

The core individuals driving these new attacks are believed to be former affiliates or members of the Black Basta ransomware gang, which went dormant in late 2024 after law enforcement began tightening the noose around ransomware operations.

Instead of disappearing, these skilled actors reassembled in underground forums, collaborating with other advanced persistent threat (APT) groups to develop new methods of infiltration. Routers, with their poor update cycles and limited visibility, became an obvious target.

Their approach includes:

  • Firmware exploitation via known CVEs (Common Vulnerabilities and Exposures)
  • Credential stuffing to break into devices with weak or default passwords
  • Abusing router VPN tunnels to bypass firewalls and monitoring tools

This is not opportunistic cybercrime—it’s methodical, professional, and deeply strategic.

Why SMBs Are Especially at Risk

Large enterprises may have internal policies, dedicated teams, and regular patch cycles. But SMBs (small and mid-sized businesses)? That’s where the gap widens.

Many small businesses:

  • Don’t regularly update router firmware.
  • Use legacy routers with known vulnerabilities.
  • Assume that endpoint protection or firewalls are enough.
  • Lack network segmentation or router logging.

Unfortunately, these assumptions create an environment where attackers can move freely once a router is compromised.

In recent breach cases we investigated, the initial entry point was a compromised router in a remote branch office—and the company didn’t detect it until ransomware locked down their internal systems.

How to Defend Against Router-Based Attacks

Routers must now be treated as critical security assets, not just networking gear. The attack surface has expanded, and your defenses must keep pace.

At DigiALERT, our experts recommend the following defense strategies:

1. Enforce Firmware Management

  • Set a monthly update policy for router firmware.
  • Subscribe to vendor vulnerability notifications.
  • Replace EOL (end-of-life) routers that no longer receive security patches.

2. Harden Router Credentials

  • Disable default accounts immediately.
  • Enforce long, complex passwords for router admin interfaces.
  • Implement 2FA where possible.

3. Network Segmentation

  • Keep routers, especially remote ones, on separate VLANs.
  • Limit their access to core servers or production systems.
  • Monitor inter-VLAN traffic for anomalies.

4. Monitor Router Traffic

  • Deploy tools that inspect DNS, routing logs, and configuration changes.
  • Enable logging on routers and send logs to a centralized SIEM (like our DigiALERT SIEM+).

5. Proactive Threat Hunting

  • Look for uncommon outbound connections from routers.
  • Watch for unexpected firmware updates or C2-style traffic patterns.
  • Use honeypots or decoys to lure router exploit attempts.

How DigiALERT Can Help

We’ve built our router threat protection services around real-world attacks we’ve investigated.

Through 24/7 digital risk monitoring, our systems alert clients to:

  • Unusual router logins or configuration changes
  • Outbound communication to known malicious IPs
  • Router firmware tampering and DNS redirection attempts

We also offer:

  • Free Router Security Assessment
  • Credential audit for all network devices
  • Custom playbooks for router-based incident response

“Router security is no longer optional—it’s a frontline defense. Organizations must treat routers as critical infrastructure, not just passive devices.”

Final Thought: Don’t Wait for a Breach to React

  • Let’s be clear: router-based attacks aren’t speculative. They’re happening right now—and they’re being executed by highly skilled, well-resourced groups.
  • Every unsecured router is an open door. The question is not if someone will walk through it—but when.

Take Action Today

Is your organization ready to deal with router-based threats?

Here’s what you can do now:

  • Follow DigiALERT and VinodSenthil for real-time threat intelligence and updates.
  • Request a complimentary router vulnerability scan from our team.
  • Drop a comment below: Have you seen router exploits in your industry?

Together, we can close this overlooked gap—before attackers exploit it.

Read 54 times Last modified on 12 June 2025
Published in Others
Tagged under
Kaliraj

Latest from Kaliraj

Related items

More in this category: « Adobe Patches 25 Critical Vulnerabilities – Is Your Organization at Risk? WordPress Sites Under Attack: How Hackers Are Exploiting Vulnerabilities and What You Can Do »
back to top

Information

digiALERT is a rapidly growing new-age premium cyber security services firm. We are also the trusted cyber security partner for more than 500+ enterprises across the globe. We are headquartered in India, with offices in Santa Clara, Sacremento , Colombo , Kathmandu, etc. We firmly believe as a company, you focus on your core area, while we focus on our core area which is to take care of your cyber security needs.

Recent blog post

Company

Photos

Request a Quote