US government disrupts Russian-linked botnet engaged in cyber espionage

Cyber Espionage

The US government said Thursday it has disrupted a botnet consisting of hundreds of small office and home office (SOHO) routers in the country that was used by Russia-linked APT28 actor to hide its malicious activities.

“These crimes include large-scale spear-phishing and similar credential collection campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations,” the U.S. Department of Justice (DoJ) said. said in a statement.

APT28, also tracked as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy and TA422, is believed to be linked to Unit 26165 of the Russian Main Directorate of Defense General Staff (GRU). It is known to have been active since at least 2007.

Court documents allege that the attackers carried out their cyberespionage campaigns by relying on MooBot, a Mirai-based botnet that selected Ubiquiti-made routers to co-opt them into a network of devices that could be modified to act as proxies. passing malicious traffic while shielding their actual IP addresses.

The botnet, the DoJ said, allowed the threat actors to mask their true location and collect credentials and NT LAN Manager (NTLM) v2 hashes via custom scripts, as well as hosting spear-phishing landing pages and other custom tools for brute-forcing passwords. , stealing passwords from router users and spreading the MooBot malware to other devices.

In a redacted affidavit filed by the US Federal Bureau of Investigation (FBI), the agency says MooBot exploits vulnerable and publicly accessible Ubiquiti routers by using default credentials and implanting an SSH malware that allows permanent remote access to the device makes.

“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that were still using commonly known default administrative passwords,” the DoJ explained. “GRU hackers then used the Moobot malware to install their own custom scripts and files that repurposed the botnet, turning it into a global cyberespionage platform.”

The APT28 actors are suspected of finding and illegally gaining access to compromised Ubiquiti routers by running public scans of the Internet using a specific OpenSSH version number as a search parameter and then using MooBot to access those routers.

The hacking group’s spearphishing campaigns have also used a then-zero-day in Outlook (CVE-2023-23397) to siphon credentials and send them to the routers.

“In another identified campaign, APT28 actors designed a fake Yahoo! landing page to send the credentials entered on the fake page to a compromised Ubiquiti router so that they could be collected by APT28 actors at their leisure,” the FBI said .

As part of efforts to disrupt the botnet in the US and prevent further crime, a series of unspecified commands have been issued to copy the stolen data and malicious files before deletion, and to adjust firewall rules to block external access from APT28 to the routers.

The precise number of devices compromised in the US has been censored, although the FBI noted that this could change. Infected Ubiquiti devices have been detected in “almost every state,” it added.

The court-approved operation – also called Dying Ember – comes just weeks after the US dismantled another state-sponsored hacking campaign from China that used another botnet codenamed KV botnet to attack critical infrastructure facilities.

Last May, the US also announced the dismantling of a global network compromised by an advanced malware strain called Snake, used by hackers associated with Russia’s Federal Security Service (FSB), also known as Turla.



#government #disrupts #Russianlinked #botnet #engaged #cyber #espionage

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
Network Breached

US state government network hacked through former employee’s account

Next Post
Ivanti Pulse Secure

Found Ivanti Pulse Secure using an 11 year old Linux version and outdated libraries

Related Posts