A joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command and international partners has raised alarms regarding Russian state-sponsored cyber actors’ exploitation of compromised Ubiquiti EdgeRouters.
Identified as the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), these actors, also known as APT28, Fancy Bear and Forest Blizzard (Strontium), have utilized compromised EdgeRouters to harvest credentials, proxy network traffic and host spear-phishing landing pages and custom tools.
“There are a number of reasons EdgeRouters are particularly vulnerable to compromise,” explained Patrick Tiquet, vice president of security & architecture at Keeper Security. “EdgeRouters are shipped with vulnerable default login settings; they lack robust firewall settings and rely on manual firmware updates.”
In an advisory published on Tuesday, the agencies emphasized the urgency for owners of affected devices to take remedial actions to thwart these malicious activities effectively. Despite recent disruption of a GRU botnet by the US Department of Justice and its international partners, the CSA stressed the necessity of implementing recommended mitigations to safeguard against future compromises and identify existing ones.
Ubiquiti EdgeRouters, known for their user-friendly Linux-based operating system, are vulnerable due to default credentials and limited firewall protections, making them appealing targets for cyber actors.
“Another issue is that the EdgeRouter itself provides a perfect position within the network for threat actors to either move laterally or to enable more advanced command-and-control functions for achieving their objectives,” commented John Gallagher, vice president of Viakoo Labs at Viakoo.
“Application-based discovery that finds IoT applications and devices can be a useful tool in finding if the IoT router is communicating with unauthorized applications.”
Because of these dangers, the CSA urged the immediate application of mitigation strategies outlined in the advisory to mitigate the risks associated with APT28 activity.
More generally, the document underscores the wide-ranging impact of APT28’s activities, targeting industries ranging from aerospace and defense to technology across various countries, including the US and Ukraine. Exploiting vulnerabilities such as CVE-2023-23397 to collect NTLMv2 digests from targeted Outlook accounts, these actors have persisted in their malicious endeavors despite patch releases by organizations like Microsoft.
Read more on these attacks: Russian APT28 Exploits Outlook Bug to Access Exchange
To combat these threats effectively, network owners are advised to conduct hardware factory resets, update firmware, change default credentials and implement robust firewall rules. Additionally, timely patching and disabling vulnerable protocols like NTLM are crucial steps in mitigating risks posed by such cyber threats.
The FBI also seeks collaboration from organizations and individuals to report any suspicious or criminal activities related to APT28’s operations on compromised EdgeRouters.
Image credit: rafapress / Shutterstock.com