Intelligence advisory: Ubiquiti EdgeRouters used for cyber operations
The advisory urges users of Ubiquiti EdgeRouter devices to take immediate protective measures against the MooBot botnet.
In a joint advisory, cybersecurity and intelligence agencies from multiple nations, including the US, are issuing a stern warning to users of Ubiquiti EdgeRouter devices, advising immediate protective actions. This caution comes after recently dismantling a botnet composed of compromised routers as part of an operation code-named Dying Ember.
The botnet, dubbed MooBot, allegedly operated by a threat group associated with Russia, specifically APT28, has been implicated in aiding covert cyber operations and deploying customized malware for subsequent exploitation. APT28, linked to Russia’s Main Directorate of the General Staff (GRU), has been active since at least 2007.
According to authorities, APT28 has leveraged compromised EdgeRouters globally to steal credentials, gather NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and specialized tools.
The use of EdgeRouters by the adversary traces back to 2022, with targets spanning various sectors, including aerospace and defence, education, energy, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation across multiple countries including the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Türkiye, Ukraine, the UAE, and the USA.
MooBot assaults typically involve exploiting routers with default or weak credentials to deploy OpenSSH trojans. APT28 then exploits this access to distribute bash scripts and other ELF binaries to harvest credentials, proxy network traffic, host phishing pages, and employ other tools.
This arsenal includes Python scripts aimed at uploading credentials of targeted webmail users obtained through cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.
Moreover, APT28 has been associated with exploiting CVE-2023-23397 (CVSS score: 9.8), a critical privilege escalation vulnerability in Microsoft Outlook, enabling theft of NT LAN Manager (NTLM) hashes and enabling a relay attack without user interaction, although it has since been patched.
To mitigate risks, organizations are advised to perform a hardware factory reset of routers to remove malicious files, update the latest firmware, change default credentials, and implement firewall rules to block remote management services.
These developments underscore the growing trend of nation state hackers leveraging routers as launchpads for attacks, creating botnets like VPNFilter, Cyclops Blink, and KV-botnet to carry out their malicious agendas.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.