May 1, 2024 at 05:09AM
APT & Targeted Attacks Summary
Cybercriminals and nation state actors both exploit compromised routers for anonymization. FBI disrupted Pawn Storm’s botnet of Ubiquiti EdgeRouters, which was used for various malicious activities. Despite the disruption, the botnet operator continued to control some bots. Multiple threat actors used backdoored SSH servers on EdgeRouters, highlighting the importance of securing internet-facing routers.
Key takeaways from the meeting notes:
– Cybercriminals and nation-state actors collaborate to use compromised routers for anonymous internet activity.
– Compromised routers are rented out to other criminals and may be used by commercial residential proxy providers as well.
– FBI and international partners disrupted an EdgeRouter botnet used by APT group Pawn Storm in January 2024.
– Recommendations for network defenders include securing routers and scanning for signs of compromise by nation-state threat actors and cybercriminals.
– Compromised devices include Ubiquiti EdgeRouters, Raspberry Pi devices, and datacenter VPS IP addresses.
– The malicious code used in the EdgeRouter botnet has evolved since at least 2016.
– Criminals use SSHDoor to gain persistent access and steal legitimate credentials from compromised routers.
Let me know if you need further details or clarifications on the meeting notes.