Russian hackers exploit Ubiquiti routers in covert cyberattacks, FBI warns
Routers will not auto update firmware unless configured to do so
Despite recent efforts by the US Department of Justice to disrupt a botnet constituting primarily of these compromised routers, the threat persists
The Federal Bureau of Investigation (FBI) has issued a warning regarding the use of compromised Ubiquiti EdgeRouters by Russian state-backed hackers, unveiling a sophisticated network of cyber warfare aimed at governments and organisations globally.
The advisory [pdf], jointly issued by the FBI, National Security Agency (NSA), and US Cyber Command and numerous international agencies, sheds light on the nefarious activities orchestrated by a threat group associated with Russia's military intelligence, notoriously known as APT28 or Fancy Bear.
According to the FBI, Russian hackers have weaponised compromised EdgeRouters to orchestrate a series of cyberattacks, encompassing the theft of sensitive information, hosting spear-phishing landing pages, and deploying custom tools.
Despite recent efforts by the US Department of Justice to disrupt a botnet constituting primarily of these compromised routers, the threat persists.
"No part of a system is immune to threats," said Rob Joyce, NSA's Director of Cybersecurity.
"As we have seen, adversaries have exploited vulnerabilities in servers, in software, in devices that connect to systems, in user credentials, in any number of ways. Now, we see Russian state-sponsored cyber actors abusing compromised routers and we are joining this CSA to provide mitigation recommendations."
The FBI advisory highlights the ease of use of Ubiquiti EdgeRouters that run on a Linux-based operating system and are typically delivered with default login credentials and minimal firewall safeguards.
Moreover, the EdgeRouters do not automatically update firmware unless specifically configured by the user to do so.
The agencies detail instances dating back to 2022, wherein APT28 hackers leveraged compromised EdgeRouters to advance their operations across diverse sectors, including aerospace, defense, energy, utilities, and transportation, spanning multiple countries.
Of particular concern are the targeted zero-day vulnerabilities, such as the critical elevation-of-privilege flaw in Microsoft Outlook on Windows (CVE-2023-23397), leveraged by threat actors to extract NTLMv2 digests from targeted accounts.
The advisory underscores the necessity for organisations to promptly update Microsoft Outlook to mitigate this vulnerability and consider disabling NTLM or implementing enhanced authentication configurations to mitigate NTLM relay attacks.
It warns that with root access to compromised Ubiquiti EdgeRouters, APT28 actors possess unfettered control over Linux-based operating systems, enabling them to install tooling and obfuscate their identities while conducting malicious campaigns.
The security agencies now urge owners of EdgeRouters to fortify their defences and prevent further exploitation. Merely rebooting a compromised EdgeRouter will not eradicate the malware, according to the advisory. Instead, remediation efforts must include a hardware factory reset, firmware upgrades, password changes, and strategic firewall implementations to mitigate risks effectively.
The security agencies underscore the importance of timely patching and adopting secure-by-design principles to safeguard networks against malicious actors.
"Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats," the advisory says.
"For CVE-2023-23397, updating Microsoft Outlook mitigates the vulnerability. To mitigate other forms of NTLM relay, all network owners should consider disabling NTLM when feasible, or enabling server signing and Extended Protection for Authentication configurations."