Cybersecurity Organizations Alert Ubiquiti EdgeRouter Users to the MooBot Threat Posed by APT28

Weeks after a botnet of compromised routers was taken down by law enforcement as part of an operation known as Dying Ember, the United States’s cybersecurity & intelligence agencies are advising Ubiquiti EdgeRouter users to take precautionary measures in a new joint alert.

APT28, a threat actor with ties to Russia, is said to have utilized the botnet known as MooBot to enable covert cyber operations and drop unique malware for subsequent exploitation. As of at least 2007, APT28 has been connected to the Russian Main Directorate of the General Staff.

The perpetrators of APT28 “used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools,” according to authorities.

Since 2022, the adversary has been using EdgeRouters to launch attacks against the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the United States in the areas of aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation.

Targeting routers with default or weak credentials allows MooBot assaults to distribute OpenSSH trojans. APT28 obtains access to these routers to transmit bash scripts and other ELF programs that gather credentials, host phishing pages, proxy network traffic, and other tools.

This includes Python scripts designed to upload account credentials of webmail users who are specially targeted and gathered using Browser-in-the-Browser (BitB) spear-phishing campaigns and cross-site scripting.

Additionally, APT28 has been connected to the exploitation of CVE-2023-23397 (CVSS score: 9.8), a significant privilege escalation vulnerability in Microsoft Outlook that has since been patched and could make it possible to mount a relay attack without requiring user intervention and steal NT LAN Manager (NTLM) hashes.

Its malware arsenal includes MASEPIE, a Python backdoor that uses compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure and can execute arbitrary commands on victim machines.

The agencies stated that "APT28 actors have unrestricted access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns" since they had root access to compromised Ubiquiti EdgeRouters.

It is advised that organizations upgrade to the most recent firmware version, change the default credentials on their routers, execute a hardware factory reset to rid their file systems of malicious files, and put firewall rules in place to stop remote management services from being exposed.

The findings indicate that nation-state hackers increasingly leverage routers as a jumping-off point for their attacks, leveraging them to build botnets like VPNFilter, Cyclops Blink, and KV-botnet to carry out their malicious operations.

The alert was sent out the day after the Five Eyes countries denounced APT29, the threat group linked to Russia's Foreign Intelligence Service (SVR) and responsible for the attacks on SolarWinds, Microsoft, and HPE, for using dormant and service accounts to gain access to target organizations' cloud environments.