Stay protected from potential security vulnerabilities in Ubiquiti EdgeRouter by taking necessary protective measures. Upgrade firmware, change default credentials, and implement firewall rules to safeguard your network infrastructure.
Firmware Security Alert: Protect Your Ubiquiti EdgeRouter Now
( Credit to: Thehackernews )
In a recent joint advisory, cybersecurity and intelligence agencies from various countries have issued a warning to users of Ubiquiti EdgeRouter regarding potential security vulnerabilities. This advisory comes in the wake of a successful operation, codenamed Dying Ember, that dismantled a botnet called MooBot. It is believed that this botnet, operated by a threat actor known as APT28 and linked to Russia's Main Directorate of the General Staff (GRU), was responsible for facilitating covert cyber operations and deploying custom malware. This article will delve into the details of the vulnerabilities and provide recommendations to mitigate the risks.
The APT28 group has been active since 2007 and has a history of exploiting various vulnerabilities. In this case, they targeted Ubiquiti EdgeRouters globally, compromising them to gather credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools. The attacks, which began in 2022, have targeted sectors such as aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation in several countries, including the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the United States.
The Threat Landscape
The APT28 group utilized default or weak credentials to gain access to the routers, subsequently deploying OpenSSH trojans. Once inside, they employed various techniques, including bash scripts and ELF binaries, to collect credentials, proxy network traffic, host phishing pages, and employ other malicious tools. Python scripts were also used to upload account credentials obtained through cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns. Moreover, APT28 exploited a critical privilege escalation flaw in Microsoft Outlook (CVE-2023-23397) to steal NT LAN Manager (NTLM) hashes and launch relay attacks without any user interaction. Additionally, they utilized a Python backdoor named MASEPIE, leveraging compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure to execute arbitrary commands on victim machines.
Protective Measures
To safeguard against these vulnerabilities, organizations using Ubiquiti EdgeRouters are advised to take the following protective measures:
- Perform a hardware factory reset: This will eliminate any malicious files present in the router's file systems.
- Upgrade to the latest firmware version: Installing the latest firmware will ensure that known vulnerabilities are patched.
- Change default credentials: It is crucial to replace default login credentials with strong, unique passwords to prevent unauthorized access.
- Implement firewall rules: Configuring firewall rules will restrict remote management services and minimize exposure to potential attacks.
The Rise of Router-Based Attacks
The emergence of APT28's MooBot botnet and similar incidents highlight a growing trend among nation-state hackers who utilize routers as launching pads for their malicious activities. Routers provide an attractive target for hackers due to their wide distribution and central role in network infrastructure. Previous examples of router-based botnets include VPNFilter, Cyclops Blink, and KV-botnet.
Conclusion
The recent advisory serves as a reminder that firmware security is of utmost importance in protecting network infrastructure. Organizations utilizing Ubiquiti EdgeRouters should promptly implement the recommended protective measures to mitigate the risks associated with the APT28 group's activities. By staying vigilant and proactive, users can significantly reduce the potential impact of such cyber threats.
Disclaimer: The information provided in this article is based solely on the joint advisory issued by cybersecurity and intelligence agencies. Readers are encouraged to follow official guidelines and consult with relevant experts to ensure the security of their network infrastructure.
