Russian hackers, affiliated with Russia’s Main Intelligence Directorate of the General Staff, have been identified as using compromised Ubiquiti EdgeRouters to establish extensive botnets, steal credentials, gather NTLMv2 digests, and act as proxies for malicious cyber activities.

Recently, a joint Cybersecurity Advisory was issued by the FBI, NSA, US Cyber Command, and international partners to warn against Russian state-sponsored cyber actors employing compromised Ubiquiti EdgeRouters for their nefarious operations. These hackers have utilized compromised routers to create spoofed landing pages and deploy post-exploitation tools as part of their cyber campaigns.

According to the advisory document (PDF), the Russia-backed APT28 actors, known as Fancy Bear, have been utilizing compromised Ubiquiti EdgeRouters since 2022 to carry out covert cyber operations across various sectors, including Aerospace & Defense, Education, Energy & Utilities, among others. Countries such as the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, and the US have been identified as key targets of these malicious activities.

In one instance in 2023, APT28 actors utilized Python scripts to harvest webmail user credentials, which were then transmitted to compromised Ubiquiti routers through cross-site scripting and browser-in-the-browser spear-phishing tactics. Additionally, they exploited the CVE-2023-23397 zero-day vulnerability, despite it being patched, to implant tools like Impacket ntlmrelayx.py and Responder on compromised routers, enabling NTLM relay attacks and hosting rogue authentication servers.

It was discovered by Microsoft’s Threat Protection Intelligence team that a vulnerability in Outlook allowed attackers to pilfer Net-NTLMv2 hashes and gain access to user accounts. This vulnerability had previously been exploited by Forest Blizzard, a group suspected to have ties to the Russian military intelligence agency.

The FBI has identified indicators of compromise for the Mirai-based Moobot OpenSSH trojan and detected APT28 activity on EdgeRouters. APT28 actors have exploited vulnerabilities in OpenSSH server processes to deploy Python scripts for the theft and validation of stolen webmail account credentials. Moreover, they have leveraged iptables rules on EdgeRouters to establish reverse proxy connections and upload adversary-controlled SSH RSA keys to compromised routers. The use of masEPIE, a Python backdoor with the capability to execute arbitrary commands on victim systems, has also been observed.

Further investigation revealed that APT28 utilized compromised Ubiquiti EdgeRouters as Command-and-Control (C2) infrastructure for deploying MASEPIE backdoors on targets. The data transmitted to and from the routers was encrypted using a randomly generated 16-character AES key.

To address compromised EdgeRouters, the FBI recommends performing a hardware factory reset, updating to the latest firmware, changing default credentials, and implementing strategic firewall rules on WAN-side interfaces. Additionally, network owners are advised to keep their systems up-to-date and apply the necessary patches, including the one for CVE-2023-23397 in Microsoft Outlook. Mitigation strategies for NTLM relay attacks include disabling NTLM or enabling server signing and Extended Protection for Authentication configurations.

In light of these developments, industry experts emphasize the criticality of patching vulnerabilities and maintaining up-to-date systems. John Bambenek, President at Bambenek Consulting, highlighted the significance of automatic updates in enhancing cybersecurity across various technical environments, underscoring the need for manufacturers to address the vulnerabilities present in IoT, embedded devices, and network infrastructure.

In summary, the utilization of compromised Ubiquiti EdgeRouters by Russian hackers for malicious cyber operations underscores the persistent threat posed by state-sponsored cyber actors and the importance of robust cybersecurity measures to safeguard against such incursions. The collaborative efforts of government agencies and cybersecurity professionals are crucial in detecting, mitigating, and preventing cyber threats that target critical infrastructure and industries.

Source link