February 28, 2024 at 01:21AM
Cybersecurity agencies are warning Ubiquiti EdgeRouter users to take precautions against the MooBot botnet, tied to APT28 and used to conduct covert cyber operations globally. The advisory recommends resetting routers, updating firmware, changing default credentials, and implementing firewall rules. This highlights the increasing use of routers as launchpads for malicious activities.
Key Takeaways from the Meeting Notes:
1. A joint cybersecurity and intelligence advisory has emphasized the need for protective measures for users of Ubiquiti EdgeRouter due to a botnet named MooBot, associated with APT28, being used for covert cyber operations and custom malware deployment.
2. APT28 has been using compromised EdgeRouters globally since 2022 to target multiple sectors and countries, including aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation sectors.
3. The attacks involve targeting routers with default or weak credentials to deploy trojans and other tools to collect credentials, proxy network traffic, and host phishing pages, using methods like OpenSSH trojans and Python scripts for collecting credentials from webmail users.
4. APT28 has also exploited CVE-2023-23397, a critical privilege escalation flaw in Microsoft Outlook, and utilized a Python backdoor called MASEPIE for executing arbitrary commands on victim machines using compromised Ubiquiti EdgeRouters as command-and-control infrastructure.
5. Recommendations for organizations include performing a hardware factory reset of the routers, upgrading to the latest firmware version, changing default credentials, and implementing firewall rules to prevent exposure of remote management services to mitigate the risks associated with the disclosed threats.
The meeting notes highlight the increasing trend of nation-state hackers using routers as a launchpad for attacks and creating botnets for malicious activities.