APT28 Uses Compromised Ubiquiti EdgeRouters in Global Cyber Operations

February 28, 2024

The APT28, a Russia-linked threat actor, has been using compromised Ubiquiti EdgeRouters to carry out covert cyber operations globally, according to a joint Cybersecurity Advisory (CSA) released by the FBI, NSA, US Cyber Command, and international partners. The advisory notes that the threat actors have been using a botnet of compromised EdgeRouters, named Moobot, to harvest credentials, proxy network traffic, and host spear-phishing landing pages and custom tools. The report stated, “As early as 2022, APT28 actors had utilized compromised EdgeRouters to facilitate covert cyber operations against governments, militaries, and organizations around the world.” The attacks have targeted a range of industries and countries, with a particular focus on Ukraine.

In February 2024, US authorities were able to neutralize the Moobot botnet, under the control of the APT28, following a court order. The botnet had been used by the Russian hackers to execute a wide range of attacks. The DoJ press release stated, “A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.” The crimes included large-scale spear-phishing and credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments, military, security, and corporate organizations.

The Moobot botnet, which was composed of hundreds of compromised Ubiquiti Edge OS routers, was originally created by a known cybercriminal group and later controlled by the Russia-linked APT group. It was first documented by Palo Alto Unit 42 researchers in February 2021. The botnet was found to be exploiting a critical command injection flaw (CVE-2021-36260) in several Hikvision products in November 2021, and it was later observed targeting vulnerable D-Link routers since September 2022. In April 2023, FortiGuard Labs researchers observed a hacking campaign targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) vulnerabilities to spread ShellBot and Moobot malware.

The court order allowed authorities to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers, effectively blocking Russian cyberspies' access to the routers. The operation modified the routers’ firewall rules to block remote management access to the devices. The MooBot botnet was observed targeting routers with default or weak credentials to deploy OpenSSH trojans. The APT28 group deployed Python scripts on compromised EdgeRouters to collect and validate stolen webmail account credentials. The group also exploited a critical privilege escalation vulnerability CVE-2023-23397 in Microsoft Outlook, which could allow an attacker to steal NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

In December 2023, APT28 developed a compact Python backdoor dubbed MASEPIE that allows operators to execute arbitrary commands on compromised machines. The APT28 used compromised Ubiquiti EdgeRouters as a command-and-control infrastructure for MASEPIE backdoors. The communication to and from the EdgeRouters involved encryption using a randomly generated 16-character AES key. However, it’s important to note that APT28 didn’t install MASEPIE directly on EdgeRouters but deployed it on systems associated with the targeted individuals and organizations. The report concluded, “In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns.” The report also provided some mitigation strategies, emphasizing that rebooting a compromised EdgeRouter will not remove the malware.

Related News

• Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets
• Critical SQL Injection Vulnerability Detected in Cacti Monitoring Tool
• APT28 Phishing Campaign Deploying New Malware Uncovered by CERT-UA
• Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File Exploitation
• Emerging Details on Zero-Click Outlook Remote Code Execution Exploits

Latest News

• FBI and CISA Alert Healthcare Sector of Targeted BlackCat Ransomware Attacks
• Black Basta and Bl00dy Ransomware Gangs Target Unpatched ScreenConnect Servers
• LiteSpeed Cache Plugin XSS Vulnerability Threatens Millions of WordPress Sites
• Hugging Face Vulnerability Could Lead to AI Model Supply Chain Attacks
• LockBit Ransomware Resurfaces Post Police Disruption; Threatens Greater Focus on Government Sector