US and international law enforcement agencies have released a joint cybersecurity advisory (CSA) warning of Russian state-sponsored cyber actors’ using compromised Ubiquiti EdgeRouters in cyber attacks worldwide.
The coalition of agencies, including the FBI, NSA, US Cyber Command, and agencies from, among others, the UK, Germany, Brazil and Norway, assessed that Russian-backed APT28, aka Fancy Bear, and Forest Blizzard (Strontium), used EdgeRouters to gather credentials, collect NTLMv2 digests and proxy network traffic. The routers have also been used to host spear-phishing landing pages and custom tools targeting the likes of governments, militaries, and organisations around the world.
Industries, such as Aerospace & Defense, Education, Energy & Utilities, Hospitality, Manufacturing, Oil & Gas, Technology, and Transportation, have been targeted, along with individuals in Ukraine.
"As far back as early as 2022, APT28 actors had used compromised EdgeRouters for covert cyber attacks," stated the advisory, and in January this year, an APT28 botnet consisting hundreds of routers was neutralised by a court-authorised operation.
Routers using default administrator passwords were targeted using Moobot malware.
"Hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform," stated the US Department of Justice.
EdgeRouter users are urged to apply immediately the recommendations in the Mitigations section of the CSA - HERE - to reduce the likelihood of any APT28 attacks.