Rewterz Threat Alert – Russia-Linked APT28 Launches Stealthy Attacks Using Compromised Ubiquiti Routers – Active IOCs

Severity

High

Analysis Summary

 joint advisory by the FBI, NSA, U.S. Cyber Command, and international partners highlights a significant cybersecurity threat posed by Russian military hackers associated with Military Unit 26165, commonly known as APT28 or Fancy Bear. These threat actors exploit compromised Ubiquiti EdgeRouters to orchestrate extensive botnets, enabling them to conduct covert cyber operations targeting governments, militaries, and organizations globally.

The advisory underscores a vulnerability in EdgeRouters which often comes with default credentials and minimal firewall protections, making them susceptible to exploitation. The routers do not update firmware automatically, further exacerbating their susceptibility to cyberattacks.

APT28’s exploitation of compromised EdgeRouters involves a range of malicious activities, including credential theft, NTLMv2 digest collection, and the proxying of malicious traffic. The attackers utilize custom tools and phishing landing pages hosted on these hijacked routers to facilitate their cyber espionage campaigns. Through a combination of Python scripts, ELF binaries, and Bash scripts, APT28 actors exploit vulnerabilities such as CVE-2023-23397, a zero-day vulnerability in Microsoft Outlook to harvest NTLMv2 digests and perpetrate NTLM relay attacks. Despite patches being available, APT28 continues to exploit these vulnerabilities, demonstrating their persistence and adaptability in evading detection and maintaining access to compromised infrastructure.

The FBI’s investigation reveals the sophisticated tactics employed by APT28 to maintain control over compromised EdgeRouters, granting them unfettered access to Linux-based operating systems for deploying tooling and obfuscating their identities. By leveraging root access, APT28 actors can install and execute various malicious payloads, highlighting the critical need for robust cybersecurity measures to mitigate such threats effectively.

It serves as a stark reminder of the escalating cyber threats posed by state-sponsored actors like APT28, who exploit vulnerabilities in widely used networking infrastructure to conduct espionage and cyber warfare operations. The sophisticated techniques employed by these adversaries underscore the need for continuous vigilance, timely patching, and the implementation of robust security measures to defend against such threats effectively.

Impact

• Credential Theft
• Cyber Espionage
• Exposure to Sensitive Data

Indicators of Compromise

MD5

• 050e2d68903681dbde4acd5ce83aea01
• 47f4b4d8f95a7e842691120c66309d5b
• ee04beb64d15f6873309b9637d38a39e
• 4b4e7ccb1f015a107ac052ba25dfe94e

SHA-256

• 0429bdc6a302b4288aea1b1e2f2a7545731c50d647672fa65b012b2a2caa386e
• 18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6
• 40a7fd89b9e51b0a515ac2355036d203357be90a2200b9c506b95c12db54c7aa
• 104e3ea9a190ba039488f5200824fe883b98f6fe01d05a1b55e15ed2199c807a

SHA-1

• bf01902ffa7ecb530b410ea4e1b769a9c16f74a3
• 1922698073911b18f60edd84ff8d13461fbd4c5a
• 2d47848e5e7e31125aa60cd2d89da2b8617fab04
• 25fca7e8a65bcdabdad9e4dc41dbb4649dedebdc

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise IOCs in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.