20 августа 2024 в 11:40 МСК
Читать 2 мин

Threat Actors Love Ubiquiti. A Match Made in Cyber Heaven

Threat Actor's operations have targeted various industries, including Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation. The targeted countries include the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US, with a strategic focus on individuals in Ukraine.

Potential consequences and impacts on these affected industries include:

📌 Data breaches and theft of sensitive information, intellectual property, or trade secrets.

📌 Disruption of critical infrastructure operations, such as power grids, transportation systems, or manufacturing processes.

📌 Compromise of government networks and systems, potentially leading to espionage or national security threats.

📌 Financial losses due to operational disruptions, theft of customer data, or reputational damage.

📌 Potential safety risks if control systems or operational technology (OT) networks are compromised.

📌 Loss of customer trust and confidence in the affected organizations.

MITRE ATT&CK TTPs

Resource Development:

T1587 (Develop Capabilities): APT28 authored custom Python scripts to collect webmail account credentials.

T1588 (Obtain Capabilities): APT28 accessed EdgeRouters compromised by the Moobot botnet, which installs OpenSSH trojans.

Initial Access:

T1584 (Compromise Infrastructure): APT28 accessed EdgeRouters previously compromised by an OpenSSH trojan.

📌 T1566 (Phishing): APT28 conducted cross-site scripting and browser-in-the-browser spear-phishing campaigns.

Execution:

T1203 (Exploitation for Client Execution): APT28 exploited the CVE-2023-23397 vulnerability.

Persistence:

📌 T1546 (Event Triggered Execution): The compromised routers housed Bash scripts and ELF binaries designed to backdoor OpenSSH daemons and related services.

Credential Access:

📌 T1557 (Adversary-in-the-Middle): APT28 installed tools like Impacket http://ntlmrelayx.py and Responder on compromised routers to execute NTLM relay attacks.

📌 T1556 (Modify Authentication Process): APT28 hosted NTLMv2 rogue authentication servers to modify the authentication process using stolen credentials from NTLM relay attacks.

Collection:

📌 T1119 (Automated Collection): APT28 utilized CVE-2023-23397 to automate the collection of NTLMv2 hashes.

Exfiltration:

📌 T1020 (Automated Exfiltration): APT28 utilized CVE-2023-23397 to automate the exfiltration of data to actor-controlled infrastructure.


Бесплатный