February 28, 2024 at 07:45AM
The US government has urged organizations and consumers to clean up their Ubiquiti routers following the dismantling of a botnet utilized by a Russian cyberespionage group known as APT28. The group, also called Fancy Bear, had been using compromised routers for covert operations since 2022, targeting various organizations worldwide. The advisory provides indicators of compromise and mitigation recommendations.
The meeting notes provide a detailed account of the dismantling of a botnet of Ubiquiti routers used by a Russian advanced persistent threat (APT) actor for cyberespionage operations. The US government is urging organizations and consumers to clean up their devices in support of the disruption effort.
APT28, also known as Fancy Bear, was found to have control over infected Ubiquiti EdgeRouters and used them for covert operations targeting various organizations in Europe, the Middle East, and the US. They exploited default credentials and trojanized OpenSSH server processes associated with the ‘Moobot’ malware to gain root access to compromised routers.
The threat actor was also observed exploiting a Outlook zero-day to collect credentials, using iptables rules to establish reverse proxy connections, and using EdgeRouters as command-and-control infrastructure for a Python backdoor called MasePie.
Various indicators of compromise (IoCs) were provided in the advisory, along with mitigation recommendations including factory resetting devices, upgrading to the latest firmware release, changing default credentials, and implementing firewall rules to prevent exposure of remote management services.
Owners of relevant devices are encouraged to take the recommended actions to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises.