In a new joint advisory, law enforcement authorities from the U.S. and other countries are urging users of Ubiquiti EdgeRouters to take a number of measures to protect their devices against attacks by Russian threat actors, such as performing a hardware factory reset, upgrading to the latest firmware version and changing default credentials.
The advisory comes two weeks after the U.S. government announced that in January it had disrupted a botnet that was being used by Russia's GRU Military Unit 26165, also known as APT28. Law enforcement was able to neutralize the malware network made up of hundreds of Ubiquiti routers - but despite this disruption, the FBI this week said that device owners should still take remediation steps to prevent similar compromises. The agency on Tuesday released IoCs and highlighted TTPs for APT28 and for the malware associated with the botnet, in its advisory in coordination with the NSA, US Cyber Command, and international partners from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom.
“This advisory provides observed tactics, techniques, and procedures, indicators of compromise, and recommendations to mitigate the threat posed by APT28 threat actors related to compromised EdgeRouters,” according to the FBI in a Tuesday update. “Given the global popularity of EdgeRouters, the FBI and its international partners urge EdgeRouter network defenders and users to apply immediately the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents associated with APT28 activity.”
According to the FBI, threat actors used compromised EdgeRouters as early as 2022 in order to target critical infrastructure sectors, including aerospace and defense, governments, hospitality and manufacturing, in countries including the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the U.S. Threat actors used default credentials and trojanized OpenSSH server processes in order to access the routers, which they then leveraged to collect credentials, proxy network traffic, and host malicious landing pages. They also leveraged various custom post-exploitation tools, including a Python backdoor called MASEPIE that was capable of executing arbitrary commands on victim machines.
"In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns."
“For example, in early 2023, APT28 actors authored custom Python scripts to collect account credentials for specifically targeted webmail users," according to the FBI. "APT28 actors uploaded these custom Python scripts to a subset of compromised Ubiquiti routers to validate stolen webmail account credentials collected via cross-site scripting and browser-in-the-browser spear-phishing campaigns."
In their attacks, threat actors targeted zero-day vulnerabilities, including a critical elevation-of-privilege vulnerability in Microsoft Outlook on Windows (CVE-2023-23397), which they leveraged to collect NTLMv2 digests from targeted Outlook accounts. As part of these attacks the actors also installed publicly available tools - such as Impacket ntlmrelayx.py - to assist with NTLM relay attacks and for hosting malicious NTLMv2 authentication servers.
“In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” according to the FBI.
As the U.S. government initially outlined in its disruption announcement, one unique aspect to this botnet is that it leveraged the Mirai-based Moobot malware, which is associated with a cybercriminal group. Previous Russian-operated malware networks that U.S. law enforcement has disrupted have been instead created from scratch by the GRU, said the Justice Department.
The FBI is urging potentially targeted organizations to change their Ubiquiti passwords as many of the EdgeRouters are shipped with default credentials and limited to no firewall protections, and attackers have leveraged default credentials in to access the routers.
Additionally, “all network owners should keep their operating systems, software, and firmware up to date,” according to the FBI. “Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. For CVE-2023-23397, updating Microsoft Outlook mitigates the vulnerability. To mitigate other forms of NTLM relay, all network owners should consider disabling NTLM when feasible, or enabling server signing and Extended Protection for Authentication configurations.”