Security agencies led by the FBI, the National Security Agency, and the US Cyber Command are warning that state-sponsored Russian actors are leading coordinated attacks on Ubiquiti’s EdgeRouter products.
The APT28 (aka Fancy Bear, Forest Blizzard or Strontium) attackers exploit EdgeRouters all over the world to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools, an advisory [pdf] warns.
The advisory notes the global popularity of the EdgeRouter device.
EdgeRouters, it said, “are often shipped with default credentials and limited to no firewall protections to accommodate wireless internet service providers (WISPs).”
“Additionally, EdgeRouters do not automatically update firmware unless a consumer configures them to do so.”
APT28 has been using exploited devices since at least early 2022, the advisory stated.
In their attacks, APT28 uses trojanised OpenSSH server processes typically associated with the Mirai-based Moobot botnet, with infection via vulnerabilities such as default credentials.
The attackers install custom Python scripts on compromised devices, to “collect and validate stolen webmail account credentials”, the advisory said.
Some of the compromised EdgeRouters are also recruited to form a command-and-control infrastructure to distribute MASEPIE backdoors.
MASEPIE is a small Python backdoor that can also execute commands on victim machines. APT28 wrote it in December 2023.
Mitigations listed in the advisory include a factory reset to the affected router, upgrading to the latest firmware version, changing all default credentials, and using firewall rules to block protect management services.