Ubiquiti: Where Security is Optional and keypoint is «change your password, seriously!»
The document titled «Cyber Actors Use Compromised Routers to Facilitate Cyber Operations» released by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners warns of use of compromised Ubiquiti EdgeRouters to facilitate malicious cyber operations worldwide.
The popularity of Ubiquiti EdgeRouters is attributed to their user-friendly, Linux-based operating system, default credentials, and limited firewall protections. The routers are often shipped with insecure default configurations and do not automatically update firmware unless configured by the user.
The compromised EdgeRouters have been used by APT28 to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools. APT28 accessed the routers using default credentials and trojanized OpenSSH server processes. With root access to the compromised routers, the actors had unfettered access to the Linux-based operating systems to install tooling and obfuscate their identity.
APT28 also deployed custom Python scripts on the compromised routers to collect and validate stolen webmail account credentials obtained through cross-site scripting and browser-in-the-browser spear-phishing campaigns. Additionally, they exploited a critical zero-day elevation-of-privilege vulnerability in Microsoft Outlook (CVE-2023-23397) to collect NTLMv2 digests from targeted Outlook accounts and used publicly available tools to assist with NTLM relay attacks
Keypoints and takeaways
📌 APT28 (also known as Fancy Bear, Forest Blizzard, and Strontium) have been exploiting compromised Ubiquiti EdgeRouters to conduct malicious cyber ops globally.
📌 The exploitation includes harvesting credentials, collecting NTLMv2 digests, proxying network traffic, and hosting spear-phishing landing pages and custom tools.
📌 The FBI, NSA, US Cyber Command, and international partners have issued a joint Cybersecurity Advisory (CSA) detailing the threat and providing mitigation recommendations.
📌 The advisory includes observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and maps the threat actors' activity to the MITRE ATT& CK framework.
📌 The advisory urges immediate action to mitigate the threat, including performing hardware factory resets, updating firmware, changing default credentials, and implementing strategic firewall rules.
📌 APT28 has used compromised EdgeRouters since at least 2022 to facilitate covert operations against various industries and countries, including the US.
📌 The EdgeRouters are popular due to their user-friendly Linux-based operating system but are often shipped with default credentials and limited firewall protections.
📌 The advisory provides detailed TTPs and IOCs to help network defenders identify and mitigate the threat.
📌 The advisory also includes information on how to map malicious cyber activity to the MITRE ATT& CK framework.
📌 Organizations using Ubiquiti EdgeRouters must take immediate action to secure their devices against APT28 exploitation.
📌 The recommended actions include resetting hardware to factory settings, updating to the latest firmware, changing default usernames and passwords, and implementing strategic firewall rules.
📌 Network defenders should be aware of the TTPs and IOCs provided in the advisory to detect and respond to potential compromises.
Vkontakte
Twitter
Одноклассники
Предыдущий
