Skip to content Skip to footer

Protective Measures Urged for Ubiquiti EdgeRouter Users After MooBot Malware Threat

Cybersecurity and intelligence agencies from various countries, including the United States, recently issued a joint advisory highlighting the need for Ubiquiti EdgeRouter users to take necessary protective measures. This advisory comes after the dismantling of a called MooBot, which was made up of infected routers and is believed to have been used by a -linked threat actor group known as APT28 to facilitate covert cyber operations and distribute custom malware for subsequent exploitation. APT28, affiliated with Russia's Main Directorate of the General Staff (G.R.U.), has been active since 2007.

According to the advisory, APT28 has been using compromised EdgeRouters worldwide to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools. The adversary's use of EdgeRouters dates back to 2022, with the attacks targeting various sectors, including aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, , and transportation, in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the U.A.E., and the U.S.

The attackers target routers with default or weak credentials to deploy OpenSSH trojans, allowing APT28 to acquire access to deliver bash and other E.L.F. binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling. The attackers also use scripts to upload account credentials belonging to specifically targeted webmail users, collected via cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.

Furthermore, APT28 has been linked to the exploitation of CVE-2023-23397, a now-patched critical privilege escalation flaw in Outlook that could enable the theft of NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction. The attackers have also developed a tool called MASEPIE, which can execute arbitrary commands on victim machines utilizing compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure.

With root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to -based operating systems to install tooling and obfuscate their identity while conducting malicious campaigns. Therefore, organizations are advised to perform a hardware factory reset of the routers to flush file systems of malicious files, upgrade to the latest firmware version, change default credentials, and implement firewall rules to prevent the exposure of remote management services.

The joint advisory highlights that nation-state hackers increasingly use routers as launchpads for attacks, creating botnets such as VPNFilter, Cyclops Blink, and KV-, among others, to conduct malicious activities. The advisory arrived a day after the Five Eyes nations called out APT29, the threat group affiliated with Russia's Foreign Intelligence Service (S.V.R.), for employing service accounts and dormant accounts to access cloud environments at target organizations.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You're in trouble, program. Why don't you make it easy on yourself. Who's your user?Master Control Program

Deitasoft © 2024. All Rights Reserved.