In a new joint advisory, cybersecurity and intelligence agencies from the United States and other countries urge Ubiquiti EdgeRouter users to take protective measures, weeks after a botnet comprising infected routers was taken down by law enforcement as part of an operation called Dying Ember.
The botnet, called MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and release customized malware for subsequent exploitation. It is known that APT28, affiliated with the Main Directorate of the Russian General Staff (GRU), has been active since at least 2007.
The APT28 perpetrators “used globally compromised EdgeRouters to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools,” authorities said [PDF].
Adversary use of EdgeRouters dates back to 2022, with attacks targeting the aerospace and defense, education, energy and utilities, government, hospitality, manufacturing, oil and gas, retail, technology and transportation sectors in the Republic Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates and United States
MooBot attacks involve targeting routers with default or weak credentials to deploy OpenSSH trojans, with APT28 gaining this access to deliver bash scripts and other ELF binaries to harvest credentials, proxy network traffic, host phishing pages, and other tools.
This includes Python scripts to upload account credentials belonging to specifically targeted webmail users, which are collected via cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.
APT28 has also been linked to the exploitation of CVE-2023-23397 (CVSS score: 9.8), a critical privilege escalation flaw now fixed in Microsoft Outlook that could allow NT LAN Manager (NTLM) hash theft and stage a forwarding attack without requiring any user interaction.
Another tool in its malware arsenal is MASEPIE, a Python backdoor capable of executing arbitrary commands on victim machines using compromised Ubiquiti EdgeRouters as their command and control (C2) infrastructure.
“With root access to compromised Ubiquiti EdgeRouters, APT28 authors have unrestricted access to Linux-based operating systems to install tools and obfuscate their identities while conducting malicious campaigns,” the agencies noted.
It is recommended that organizations perform a factory reset of router hardware to delete malicious files from file systems, update to the latest firmware version, change default credentials, and implement firewall rules to prevent exposure of remote management services.
The revelations are a sign that nation-state hackers are increasingly using routers as a launchpad for attacks, using them to create botnets such as VPNFilter, Cyclops Blink and KV-botnet and conduct their malicious activities.
The bulletin comes a day after the Five Eyes nations denounced APT29 – the threat group affiliated with Russia’s Foreign Intelligence Service (SVR) and the entity behind the attacks on SolarWinds, Microsoft and HPE – for using service accounts and accounts dormant to access the cloud. environments of the target organizations.