Skip to content Skip to footer

FBI Warns Ubiquiti EdgeRouters Hacked by Russian State Hackers

The FBI and partners from 10 other countries are urging owners of Ubiquiti EdgeRouters to check their gear for signs they've been hacked and are being used to conceal ongoing malicious operations by Russian state hackers.

The Ubiquiti EdgeRouters make an ideal hideout for hackers. The inexpensive gear, used in homes and small offices, runs a version of Linux that can host malware that surreptitiously runs behind the scenes. The hackers then use the routers to conduct their malicious activities. Rather than using infrastructure and IP addresses known to be hostile, the connections come from benign-appearing devices hosted by addresses with trustworthy reputations, allowing them to receive a green light from security defenses.

Unrestricted

FBI officials have warned that , a group backed by the Russian General Staff Main Intelligence Directorate known as GRU, has been using compromised Ubiquiti EdgeRouters to conduct malicious campaigns. With root access to the compromised routers, actors can install tooling and obfuscate their identity while performing their operations. The FBI has alleged that has been doing this for at least four years.

Earlier this month, the FBI revealed that it had quietly removed Russian malware from routers in US homes and businesses. The operation, which had prior court authorization, added firewall rules preventing from regaining control of the devices. However, the operation only removed the malware used by and temporarily blocked the group using its infrastructure from reinfecting them. The move did nothing to patch any vulnerabilities in the routers or remove weak or default credentials hackers could exploit to use the devices again to host their malware surreptitiously.

Owners of relevant devices are advised to take remedial actions to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises. These actions include performing a hardware factory reset to remove all malicious files, upgrading to the latest firmware version, changing any default usernames and passwords, and implementing firewall rules to restrict outside access to remote management services.

has been using the infected routers since at least 2022 to facilitate covert operations against governments, militaries, and organizations around the world, including in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the US. The industries targeted include aerospace and defense, education, energy and utilities, hospitality, manufacturing, oil and gas, retail, technology, and transportation. has also targeted individuals in Ukraine.

The Russian hackers gained control of devices after being infected with Moobot, botnet malware used by financially motivated threat actors not affiliated with the GRU. These threat actors installed Moobot after exploiting publicly known default administrator credentials that hadn't been removed from the devices by the people who owned them. then used the Moobot malware to install custom scripts and malware that turned the botnet into a global cyber espionage platform.

Covert proxies -> Undercover intermediaries

The notorious APT28 group has been found to use routers as a tool to execute cyberattacks against its targets. The group has used routers to collect credentials and proxy malicious traffic, as well as to host spoofed landing pages and custom post-exploit malware. In a recent attack, the group created Python scripts to collect account credentials for webmail accounts of interest. The previous year, APT28 exploited CVE-2023-23397, a critical zero-day in Microsoft's Outlook email application, to harvest cryptographic hashes that gave access to user accounts. Although Microsoft released a patch, APT28 has continued exploiting the against targets yet to install it. The group has been using publicly available tools such as Impacket ntlmrelayx.py and Responder to execute attacks and host rogue authentication servers.

Recently, authorities conducted a similar operation against a Chinese state group's commandeering of small office and home office routers, mainly Cisco and Netgear devices, that had reached the end of their life. A group backed by the Chinese government and tracked as Volt Typhoon used the routers to connect to the networks of US critical infrastructure organizations to establish covert posts that could be used in future cyberattacks.

Nation-state-backed groups have been using routers to obfuscate their attacks since at least 2018 when Cisco's Talos security group researchers detected more than 500,000 SOHO routers that APT28 had also compromised. The hacking group installed sophisticated malware, VPNFilter, to carry out various activities. Hundreds of router models from nearly a dozen manufacturers were affected.

VPNFilter not only worked as a covert proxy for connecting to targeted networks but also injected malicious payloads into traffic as it passed through an infected router and stole sensitive data between the devices and connected endpoints and the outside Internet. Furthermore, VPNFilter worked with a module that monitored traffic for data specific to certain industrial control systems, indicating that it wasn't used only against third-party targets to attack primary targets but also against the primary targets themselves.

In response to these attacks, the FBI seized a domain controlling the botnet of affected devices and encouraged router users everywhere to reboot their devices to remove the malware. However, unlike this year's actions against APT28 and Volt Typhoon, the FBI did not take any action to disinfect devices remotely.

These revelations show that routers remain a favorite hideout for nation-state hackers six years after discovering VPNFilter. This awareness likely spurred officials to adopt the recent, more active approach of removing malware by remotely issuing commands to infected devices. End-users need to take the threat seriously and follow the advice listed in Tuesday's advisory, which includes a detailed list of indicators of compromise.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

What do all men with power want? More powerThe Oracle

Deitasoft © 2024. All Rights Reserved.