Russian state-backed hackers are using compromised routers to carry out covert cyberattacks against governments and organizations around the world.
This warning, issued by the FBI, NSA and US Cyber Command, said that the group linked to Russian military intelligence, known to security companies as APT28 or Fancy Bear, has used compromised EdgeRouters to steal and host phishing landing and custom pages. tools.
The agencies have provided advice to owners of these routers to better protect their devices. The US Department of Justice and others recently took down a botnet linked to Russia's foreign military intelligence (GRU) that consisted of these routers.
In that case, the Department of Justice disrupted the botnet by modifying the firewall rules on the compromised routers to block remote management access to the devices.
But the new advisory says that owners of these devices should still take steps to ensure that attackers cannot rebuild their network of compromised devices.
The agencies noticed this because Ubiquiti EdgeRouters have an easy-to-use Linux-based operating system that makes them popular with consumers and potential attackers.
He added that EdgeRouters often ship with default credentials and limited or no firewall protections to accommodate wireless Internet service providers, and do not automatically update firmware unless a consumer configures them to do so.
Ubiquiti EdgeRouters have been attacked en masse
The notice said that as early as 2022, APT28 hackers had used compromised EdgeRouters to support their operations against governments, militaries, and organizations around the world. They have targeted various industries including aerospace and defense, energy and utilities, transportation and more in many countries.
APT28 hackers accessed EdgeRouters that had already been compromised by Moobot, a botnet that installs OpenSSH Trojans on compromised hardware. They then use the routers as part of their operations, such as collecting credentials, proxy network traffic, and hosting spoofed landing pages and custom post-exploitation tools.
For example, in early 2023, these attackers wrote Python scripts to harvest account credentials from specific webmail users. They loaded the custom scripts on some of the compromised Ubiquiti routers to validate stolen webmail account credentials collected through cross-site scripting and in-browser phishing campaigns.
Additionally, the hacking group attempted to exploit CVE-2023-23397, a zero-day vulnerability at the time, to collect NTLMv2 digests from specific Outlook accounts. Attackers could attempt to transmit them for authentication against other systems that support NTLMv2 authentication or perform offline decryption to extract the password.
To do this, threat actors installed tools on compromised Ubiquiti EdgeRouters to execute NTLM relay attacks and host fraudulent authentication servers.
“With root access to compromised Ubiquiti EdgeRouters, APT28 actors have unlimited access to Linux-based operating systems to install tools and obfuscate your identity while running malicious campaigns,” the advisory warns.
What should I do if my router is compromised?
The FBI advisory warned that rebooting a compromised EdgeRouter will not remove the malware, if it is present. Instead, it recommends the following steps to repair compromised EdgeRouters:
- Perform a hardware factory reset to remove malicious file file systems.
- Update to the latest firmware version
- Change default usernames and passwords, and
- Implement strategic firewall rules on WAN-side interfaces to prevent unwanted exposure of remote management services.
Beyond this, the FBI said all network owners should keep their operating systems, software and firmware up to date. “Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats,” he said.
In the long term, he said, network owners should consider only using routers and other equipment that incorporate security-by-design principles that eliminate default passwords and the flaws of SOHO routers.