The FBI, NSA, US Cyber Command and international partners warn that Russian military hackers APT28 use compromised Ubiquiti EdgeRouters for attacks.
The Russian hackers APT28 - cyber spies of Military Unit 26165 (part of the Main Intelligence Directorate of the General Staff - GRU) use these routers to create extensive botnets that help them steal credentials, collect NTLMv2 digests and distribute malicious traffic.
Hackers are also using routers to host phishing tools and pages for attacks targeting militaries, governments and other organisations worldwide.
See also: The FBI "took down" the Moobot botnet used by Russian hackers
“Ubiquiti EdgeRouters are often shipped with default credentials and do not have no firewall protection“, warn the services.
Also, there is no automatic update of the firmware. Users must update manually.
Earlier this month, the FBI disrupted a botnet consisting of Ubiquiti EdgeRouters infected with the malware Moobot. The initial infection was done by other hackers, but Russian hackers APT28 later reused it to create an espionage tool.
During the investigation of the hacked routers, the FBI discovered several APT28 tools, including Python scripts for webmail theft credentials, programs designed to collect NTLMv2 digests and custom routing rules that automatically redirect phishing traffic to attack infrastructure.
See also: The Glupteba botnet evades detection with a UEFI Bootkit
Russian hackers APT28 have been linked to several attacks in important organisations. For example, they had hacked the German Federal Parliament (Deutscher Bundestag), the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) before the 2016 US presidential election.
Ubiquiti EdgeRouters: how to "save" them?
The FBI and its affiliates services recommend the following measures to rid the routers of malware and block the access of Russian hackers APT28:
- Perform a factory reset (hardware)
- Upgrade to the latest firmware version
- Change default credentials
- Apply strategic firewall rules to WAN-side interfaces to prevent unwanted exposure to remote management services.
See also: KV-Botnet operators try to recover after FBI actions
Protection from botnets
To protect yourself from Botnets, it is important to keep the software and operating system of your device are up to date. The attacks botnets often exploit known vulnerabilities that have been fixed in more recent versions of the software.
In addition, it is important to use a reliable security program that provides protection against malware and botnets. This should include running regular scans to detect and remove any attacks.
Η use strong passwords and change them regularly is another way to protect yourself from the Botnet. Botnet attacks often try to guess the passwords Accessed at (e.g. on Ubiquiti EdgeRouters), so using strong passwords and changing them regularly can help protect your accounts.
Finally, the safety training of information can be particularly useful. Understanding the ways in which botnet attacks work and the techniques they use can help you identify and avoid botnet attacks. attacks.
Source : www.bleepingcomputer.com