Hackers with ties to the Russian government are exploiting vulnerabilities in popular edge routers to launch dangerous new attacks.
A joint security advisory published by the FBI, NSA, the US Cyber Command, and national law enforcement agencies from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom.
As per the advisory, the infamous Russian threat actor known as APT28 (AKA Fancy Bear, Forest Blizzard, Strontium) has been using compromised EdgeRouters globally in a campaign of credential harvesting, proxy network traffic, and spear-phishing attacks.
Default login credentials
APT28, which the security firms claim is under the command of the Russian General Staff Main Intelligence Directorate (GRU), has been using the vulnerabilities since 2022 to target governments, militaries, and organizations around the world. The industries they targeted the most include Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation.
The victims were spread out across the western world, in countries such as the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US. Many individuals in Ukraine were “strategically targeted”, the advisory further states.
The problem with EdgeRouters is that, in many cases, the victims never change the default login credentials, allowing the hackers easy access to the admin panel. Once inside, they proceed to install Moobot, a botnet that drops OpenSSH trojans on compromised hardware. Each compromised router accessed by APT28 actors housed a “collection of Bash scripts and ELF binaries” designed to exploit backdoor OpenSSH daemons and related services for things such as credential harvesting, proxy network traffic, and more.
In early 2023, the FBI found APT28 building a custom Python script to steal login credentials for specifically targeted webmail users, as well as using a zero-day to harvest NTLMv2 digests from some Outlook accounts.
The U.S. Department of Justice and partners recently disrupted the APT28 botnet consisting of these routers, but without the end users addressing the flaws, the job is not done. As per the DoJ’s instructions, they should factory reset the device, upgrade to the latest firmware version, change the login credentials, and implement strategic firewall rules on WAN-side interfaces.
More from TechRadar Pro
——————————————————–