In a new joint advisory, cybersecurity and intelligence organizations from the United States and other nations advise Ubiquiti EdgeRouter users to take precautions weeks after a botnet containing infected routers was foiled by law enforcement as part of a Dying Ember operation.
A Russian-linked threat actor known as APT28 is alleged to have used the botnet, MooBot, to launch covert cyberattacks and install custom malware for subsequent exploitation. Since at least 2007, it is known that APT28 has been active in Russia’s Main Directorate of the General Staff ( GRU).
According to the authorities, APT28 actors “used compromised EdgeRouters to use global credentials to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools” [PDF].
The adversary has used EdgeRouters since 2022, with attacks aimed at the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, and Ukraine as examples of the attacks. The U.S. and A. E.
APT28 gains access to bash script and other ELF binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling by launching MooBot attacks on routers that have default or weak OpenSSH credentials to deploy them.
This includes Python scripts that use cross-site scripting and browser-in-the-browser ( BitB ) spear-phishing campaigns to upload account credentials of specifically targeted webmail users.
APT28 has also been linked to the exploitation of CVE- 2023- 23397 ( CVSS score: 9.8), a newly patched critical privilege escalation flaw that could enable the theft of NT LAN Manager (NTLM) hashes and mount a relay attack without the need for any user interaction.
A malicious script called MASEPIE, which uses compromised Ubiquiti EdgeRouters as command-and-control ( C2 ) infrastructure, is another tool in its malware arsenal.
APT28 actors have unrestricted access to Linux-based operating systems to install tools and conceal their identities while running malicious campaigns, according to the organizations.
Organizations are advised to perform a hardware factory reset on their routers to remove malicious files, update them to the most recent firmware version, change default credentials, and implement firewall measures to protect against remote management services from exposure.
The revelations serve as a warning to nation-state hackers that are increasingly turning to routers as a launchpad for attacks and deploying them to build botnets like VPNFilter, Cyclops Blink, and KV-botnet, which carry out their malicious operations.
The Five Eyes organizations criticized APT29, the threat organization linked to Russia’s Foreign Intelligence Service ( SVR ) and the organization responsible for the attacks on SolarWinds, Microsoft, and HPE, for using service accounts and dormant accounts to access cloud environments at target organizations, in a press release.