Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations

Russian cyberspies are compromising Ubiquiti EdgeRouters to evade detection, warns a joint advisory published by authorities.

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners released a joint Cybersecurity Advisory (CSA) to warn that Russia-linked threat actors are using compromised Ubiquiti EdgeRouters (EdgeRouters) to evade detection in cyber operations worldwide.

The US agencies and international partners (peers from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom) observed multiple Russia-linked threat actors (the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium)) using a botnet of compromised EdgeRouters devices, named Moobot, worldwide to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools.

“As early as 2022, APT28 actors had utilized compromised EdgeRouters to facilitate covert cyber operations against governments, militaries, and organizations around the world.” reads the joint report. “These operations have targeted various industries, including Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation. Targeted countries include Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US[1][2]. Additionally, the actors have strategically targeted many individuals in Ukraine.”

In February 2024, a court order allowed US authorities to neutralize the Moobot botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28.

The Russian state-sponsored hackers used the botnet to carry out a broad range of attacks.

“A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT28, Sofacy GroupForest BlizzardPawn StormFancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.” reads the press release published by DoJ. “These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.”

The Moobot botnet was composed of hundreds of compromised Ubiquiti Edge OS routers, it was initially created by a known cyber criminal group and later controlled by the Russia-linked APT group.

The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products. Since September 2022, Moobot botnet was spotted targeting vulnerable D-Link routers.

In April 2023, FortiGuard Labs researchers observed a hacking campaign targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) vulnerabilities to spread ShellBot and Moobot malware.

The court order allowed authorities to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. The US government operation blocked access to the routers by Russian cyberspies. The operation reversibly modified the routers’ firewall rules to block remote management access to the devices.

Researchers observed the MooBot botnet targeting routers with default or weak credentials to deploy OpenSSH trojans. Attackers replaced binaries on compromised EdgeRouters with trojanized OpenSSH server binaries allowing remote attackers to bypass authentication.

APT28 group deployed Python scripts on compromised EdgeRouters to collect and validate stolen webmail account credentials. The webmail account credentials were collected via cross-site scripting and browser-in-the-browser spear-phishing campaigns.

APT28 was also observed exploiting the critical privilege escalation vulnerability CVE-2023-23397 (CVSS score: 9.8) in Microsoft Outlook, which could allow an attacker to steal NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

“Additionally, an FBI investigation revealed that as early as 2022, APT28 actors had exploited CVE2023-23397, a zero-day vulnerability at the time, to collect NTLMv2 digests from targeted Outlook accounts [T1203]. Per a Microsoft blog post[3] published in March 2023, CVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook on Windows wherein Net-NTLMv2 hashes are leaked to actor-controlled infrastructure [T1119, T1020].” continues the report.

In December 2023, the Russia-linked APT28 developed a compact Python backdoor dubbed MASEPIE that allows operators to execute arbitrary commands on compromised machines. APT28 had utilized compromised Ubiquiti EdgeRouters as a command-and-control infrastructure for MASEPIE backdoors. Communication to and from the EdgeRouters involved encryption using a randomly generated 16-character AES key. It’s essential to emphasize that APT28 doesn’t install MASEPIE directly on EdgeRouters but instead deploys it on systems associated with the targeted individuals and organizations.

“In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns.” concludes the report.

Below are some of the mitigations provided by the report, the government experts pointed out that rebooting a compromised EdgeRouter will not remove the malware:

  • Perform a hardware factory reset to flush file systems of malicious files.
  • Upgrade to the latest firmware version.
  • Change any default usernames and passwords.
  • Implement strategic firewall rules on WAN-side interfaces to prevent the unwanted exposure of remote management services.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Ubiquiti EdgeRouters)