SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

Keypoints

• Forest Blizzard and its sub-group Storm-2754 conducted large-scale compromise of SOHO devices to alter router DNS settings and forward DNS queries to actor-controlled resolvers.
• Microsoft observed over 200 organizations and 5,000 consumer devices impacted; no Microsoft-owned assets or services were indicated as compromised by telemetry.
• The actor likely uses the legitimate dnsmasq utility on port 53 to perform DNS resolution and capture DNS traffic from infected edge devices.
• Forest Blizzard selectively conducted TLS adversary-in-the-middle (AiTM) attacks—spoofing TLS certificates—to intercept traffic for high-value targets, including Microsoft Outlook on the web domains and specific government servers.
• DNS hijacking gives passive, persistent visibility and the potential to pivot into enterprise environments via less-monitored edge devices used by remote and hybrid employees.
• Microsoft published mitigation guidance (e.g., secure SOHO devices, centralize identity, enforce MFA/Conditional Access) and Defender detection and hunting queries to help defenders detect and respond to this activity.