Skip to content Skip to footer

U.S. Government Disrupts Russia-Linked Botnet Engaged in Cyber Espionage

The United States government has revealed that it has disrupted a botnet comprising hundreds of small office and home office (SOHO) routers utilized by the Russia-linked APT28 actor. The botnet was used to mask the group's malicious activities, which included vast and similar credential harvesting campaigns against targets of intelligence interest to the government, such as U.S. and foreign governments and military, security, and corporate organizations. APT28, also known as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, is assessed to be linked to Unit 26165 of Russia's Main Directorate of the General Staff (GRU), and has been active since at least 2007.

The attackers relied on a Mirai-based botnet called MooBot, which specifically targeted routers made by Ubiquiti, to carry out their campaigns. They could co-opt these routers into a mesh of devices that could be modified to act as a proxy, relaying malicious traffic while shielding their IP addresses. This allowed the threat actors to mask their actual location and harvest credentials and NT LAN Manager (NTLM) v2 hashes via bespoke scripts, as well as host landing pages and other custom tooling for brute-forcing passwords, stealing router user passwords, and propagating the MooBot malware to other appliances.

According to court documents filed by the U.S. Federal Bureau of Investigation (FBI), MooBot exploits vulnerable and publicly accessible Ubiquiti routers by using default credentials and implants an malware that permits persistent remote access to the device. “Non-GRU cybercriminals installed the MooBot malware on Ubiquiti OS routers that still used publicly known default administrator passwords,” the Department of Justice (DoJ) explained. “GRU then used the MooBot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global platform.”

The APT28 actors are suspected to have found and illegally accessed compromised Ubiquiti routers by conducting public internet scans using a specific OpenSSH version number as a search parameter and then using MooBot to access those routers. Spear-phishing campaigns undertaken by the group have also leveraged a then-zero-day in Outlook (-2023-23397) to siphon login credentials and transmit them to the routers. In another identified campaign, APT28 actors designed a fake Yahoo! landing page to send credentials entered on the false page to a compromised Ubiquiti router to be collected by APT28 actors at their convenience.

A series of unspecified commands have been issued to copy the stolen data and malicious files before deleting them and modifying firewall rules to block APT28's remote access to the routers. The precise number of compromised devices in the U.S. has been censored, although the FBI noted that it could change. Infected Ubiquiti devices have been detected in “almost every state,” it added. This court-authorized operation is part of the U.S. government's efforts to disrupt the botnet and prevent further crime.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

We have no names, man. No names. We are nameless!Cereal

Deitasoft © 2024. All Rights Reserved.