Two weeks after dismantling a botnet of Ubiquiti routers used by a Russian advanced persistent threat (APT) actor to conduct cyberespionage operations worldwide, the US government is urging organizations and consumers to clean up their devices in support of the disruption effort.
According to the US, hundreds of small office/home office (SOHO) routers from Ubiquiti were ensnared into a botnet after cybercriminals infected them with the ‘Moobot’ malware.
Control of the infected Ubiquiti EdgeRouters was then handed over to the Russian cyberespionage group APT28, which is also known as Fancy Bear, Forest Blizzard, Pawn Storm, Sednit, and Sofacy Group, and which is connected to the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU).
APT28, the FBI, NSA, and US CyberCommand note in a joint advisory (PDF), has been abusing compromised EdgeRouters for covert operations since 2022, targeting aerospace, energy, government, manufacturing, oil and gas, technology, and transportation organizations in Europe, the Middle East, and the US.
To access EdgeRouters, APT28 used default credentials and trojanized OpenSSH server processes associated with Moobot, a Mirai-based piece of malware that ensnares internet of things (IoT) devices into a botnet, the joint advisory reads.
The attackers would obtain root access to compromised Ubiquiti EdgeRouters, which enabled them to install various tools and to obfuscate their identity.
“APT28 actors have used compromised EdgeRouters to collect credentials, proxy network traffic, and host spoofed landing pages and custom post-exploitation tools,” the joint advisory reads.
The threat actor was seen exploiting an Outlook zero-day (CVE-2023-23397) to collect NTLMv2 digests from targeted Outlook accounts and deploying custom Python scripts for harvesting and validating the credentials of webmail users.
Additionally, APT28 was seen using iptables rules on the compromised routers to establish reverse proxy connections to the group’s infrastructure and uploading their own SSH RSA keys to establish reverse SSH tunnels to the compromised devices.
EdgeRouters, the advisory reveals, were also used as command-and-control (C&C) infrastructure for MasePie, a Python backdoor that supports the execution of arbitrary commands and which is deployed on the victim’s systems, but not on EdgeRouters.
The advisory also provides indicators of compromise (IoCs) that organizations and consumers are encouraged to use when hunting for signs of infection, as well as mitigation recommendations, which include factory resetting devices, upgrading to the latest firmware release, changing default credentials, and implementing firewall rules to prevent exposure of remote management services.
“Owners of relevant devices should take the remedial actions to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises,” the advisory reads.
Related: Russian APT Used Zero-Click Outlook Exploit
Related: Russian Cyberspies Targeting Cloud Infrastructure via Dormant Accounts
Related: Russian Turla Cyberspies Target Polish NGOs With New Backdoor
