Skip to content Skip to footer

U.S. Government Disrupts Russia-Linked Botnet Engaged in Cyber Espionage

The United States government has revealed that it has disrupted a comprising hundreds of small office and home office (SOHO) routers utilized by the Russia-linked APT28 actor. The was used to mask the group's malicious activities, which included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. APT28, also known as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, is assessed to be linked to Unit 26165 of Russia's Main Directorate of the General Staff (GRU), and has been active since at least 2007.

The attackers relied on a Mirai-based called MooBot, which specifically targeted routers made by Ubiquiti, to carry out their cyber espionage campaigns. They could co-opt these routers into a mesh of devices that could be modified to act as a proxy, relaying malicious traffic while shielding their IP addresses. This allowed the threat actors to mask their actual location and harvest credentials and NT LAN Manager (NTLM) v2 hashes via bespoke scripts, as well as host spear-phishing landing pages and other custom tooling for brute-forcing passwords, stealing router user passwords, and propagating the MooBot to other appliances.

According to court documents filed by the U.S. Federal Bureau of Investigation (FBI), MooBot exploits vulnerable and publicly accessible Ubiquiti routers by using default credentials and implants an that permits persistent remote access to the device. “Non-GRU cybercriminals installed the MooBot on Ubiquiti Edge OS routers that still used publicly known default administrator passwords,” the Department of Justice (DoJ) explained. “GRU hackers then used the MooBot to install their own bespoke scripts and files that repurposed the , turning it into a global cyber espionage platform.”

The APT28 actors are suspected to have found and illegally accessed compromised Ubiquiti routers by conducting public internet scans using a specific OpenSSH version number as a search parameter and then using MooBot to access those routers. Spear-phishing campaigns undertaken by the hacking group have also leveraged a then-zero-day in Outlook (CVE-2023-23397) to siphon login credentials and transmit them to the routers. In another identified campaign, APT28 actors designed a fake Yahoo! landing page to send credentials entered on the false page to a compromised Ubiquiti router to be collected by APT28 actors at their convenience.

A series of unspecified commands have been issued to copy the stolen data and malicious files before deleting them and modifying firewall rules to block APT28's remote access to the routers. The precise number of compromised devices in the U.S. has been censored, although the FBI noted that it could change. Infected Ubiquiti devices have been detected in “almost every state,” it added. This court-authorized operation is part of the U.S. government's efforts to disrupt the and prevent further crime.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Look. This... is all a mistake. I'm just a compound interest program. I work at a savings and loan! I can't play these video games!Crom

Deitasoft © 2024. All Rights Reserved.