Russia’s state-backed hackers are using compromised routers to carry out their covert cyber attacks against governments and organizations worldwide.
This warning, issued by the FBI, NSA and US Cyber Command, said that the group linked with Russia military intelligence, known to security companies as APT28 or Fancy Bear, has used compromised EdgeRouters to steal, and host spear-phishing landing pages and custom tools.
The agencies have provided advice for owners of these routers to better protect their devices. The US Department of Justice and others recently disrupted a botnet linked to Russia’s foreign military intelligence – GRU - consisting of these routers.
In that instance, the Justice Department disrupted the botnet by modifying the firewall rules on compromised routers to block remote management access to the devices.
But the new advisory said owners of these devices still need to take action to make sure the attackers cannot rebuild their network of compromised devices.
The agencies warned that because the Ubiquiti EdgeRouters have a user-friendly, Linux-based operating system that makes them popular with consumers - and potential attackers.
It added that EdgeRouters are often shipped with default credentials and limited-to-no firewall protections to accommodate wireless internet service providers, and do not automatically update firmware unless a consumer configures them to do so.
Ubiquiti EdgeRouters have been targeted en masse
The advisory said that, as early as 2022, APT28 hackers had used compromised EdgeRouters to support their operations against governments, militaries, and organizations around the world. They’ve targeted various industries, including aerospace and defense, energy and utilities, transport, and more across many countries.
The APT28 hackers accessed EdgeRouters that had already been compromised by Moobot, a botnet that installs OpenSSH trojans on compromised hardware. They then use the routers as part of their operations, such as to collect credentials, proxy network traffic, and host spoofed landing pages and custom post-exploitation tools.
For example, in early 2023, these attackers wrote Python scripts to collect account credentials from targeted webmail users. They loaded the custom scripts to some of the compromised Ubiquiti routers to validate stolen webmail account credentials collected via cross-site scripting and browser-in-the-browser spear phishing campaigns.
Provide remote workers secure access to your business-critical apps
Additionally, the hacking group has attempted to exploit CVE-2023-23397 , a zero-day vulnerability at the time, to collect NTLMv2 digests from targeted Outlook accounts. The attackers could attempt to relay these for authentication against other systems that support NTLMv2 authentication or perform offline cracking to extract the password.
To do this, threat actors installed tools on compromised Ubiquiti EdgeRouters to execute NTLM relay attacks and host rogue authentication servers.
“With root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” the advisory warns.
What should I do if my router is compromised?
The FBI advisory warned that rebooting a compromised EdgeRouter will not remove the malware, if it is present. Instead, it recommends the following steps to remediate compromised EdgeRouters:
- Perform a hardware factory reset to flush file systems of malicious files,
- Upgrade to the latest firmware version
- Change any default usernames and passwords, and
- Implement strategic firewall rules on WAN-side interfaces to prevent the unwanted exposure of remote management services.
Beyond this, the FBI said all network owners should keep their operating systems, software, and firmware up to date. “Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cyber security threats,” it said.
In the longer term, it said, network owners should think about only using routers and other equipment incorporating secure-by-design principles that eliminate default passwords and SOHO router defects.
