网络安全机构发布警告：APT28的MooBot威胁

In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember.

在一份新的联合咨询中，来自美国和其他国家的网络安全和情报机构敦促Ubiquiti EdgeRouter的用户采取保护措施，几周前，一个由感染的路由器组成的僵尸网络在一次代号为Dying Ember的行动中被执法部门击倒。

The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia's Main Directorate of the General Staff (GRU), is known to be active since at least 2007.

据称，名为MooBot的僵尸网络被俄罗斯APT28威胁行为者用来促进秘密网络行动，并投放定制恶意软件以进行后续利用。

APT28 actors have "used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools," the authorities said [PDF].

当局表示，APT28行动者“全球范围内使用受感染的EdgeRouters来获取凭证，收集NTLMv2摘要，代理网络流量，并托管针对性的网络钓鱼落地页和定制工具”。

The adversary's use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation sectors in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the U.A.E., and the U.S.

对EdgeRouters的对手使用可以追溯到2022年，攻击目标包括捷克共和国、意大利、立陶宛、约旦、黑山、波兰、斯洛伐克、土耳其、乌克兰、阿联酋和美国的航空航天和国防、教育、能源和公用事业、政府、酒店业、制造业、石油和天然气、零售业、技术和交通运输部门。

MooBot attacks entail targeting routers with default or weak credentials to deploy OpenSSH trojans, with APT28 acquiring this access to deliver bash script and other ELF binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling.

MooBot攻击包括以默认或弱凭证针对路由器部署OpenSSH木马，APT28获得此访问权以传递bash脚本和其他ELF二进制文件以收集凭证、代理网络流量、托管网络钓鱼页面和其他工具。

This includes Python scripts to upload account credentials belonging to specifically targeted webmail users, which are collected via cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.

这包括用于上传属于特定目标网络邮件用户的帐户凭证的Python脚本，这些凭证是通过跨站脚本和浏览器中的浏览器（BitB）钓鱼活动收集的。

APT28 has also been linked to the exploitation of CVE-2023-23397 (CVSS score: 9.8), a now-patched critical privilege escalation flaw in Microsoft Outlook that could enable the theft of NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

APT28还与利用Microsoft Outlook中现已修补的关键特权升级漏洞CVE-2023-23397（CVSS评分：9.8）相关联，该漏洞可能使NT LAN Manager（NTLM）哈希泄漏并发起继电攻击而无需任何用户交互。

Another tool in its malware arsenal is MASEPIE, a Python backdoor capable of executing arbitrary commands on victim machines utilizing compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure.

其恶意软件库中的另一个工具是MASEPIE，一个Python后门，能够利用受感染的Ubiquiti EdgeRouters作为命令与控制（C2）基础设施在受害机器上执行任意命令。

"With root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns," the agencies noted.

“拥有对受感染Ubiquiti EdgeRouters的根访问权限，APT28行动者可以无拘无束地访问基于Linux的操作系统以安装工具，并在进行恶意活动时掩盖其身份，”当局指出。

Organizations are recommended to perform a hardware factory reset of the routers to flush file systems of malicious files, upgrade to the latest firmware version, change default credentials, and implement firewall rules to prevent exposure of remote management services.

建议组织对路由器进行硬件恢复出厂设置以清除恶意文件系统、升级至最新固件版本、更改默认凭证，并实施防火墙规则以防止远程管理服务的暴露。

The revelations are a sign that nation-state hackers are increasingly using routers as a launchpad for attacks, using them to create botnets such as VPNFilter, Cyclops Blink, and KV-botnet and conduct their malicious activities.

这些揭示表明，国家黑客越来越多地将路由器作为攻击的发射台，利用它们创建僵尸网络，如VPNFilter、Cyclops Blink和KV-botnet，并进行恶意活动。

The bulletin arrives a day after the Five Eyes nations called out APT29 – the threat group affiliated with Russia's Foreign Intelligence Service (SVR) and the entity behind the attacks on SolarWinds, Microsoft, and HPE – for employing service accounts and dormant accounts to access cloud environments at target organizations.

此公告发布之日，五眼联盟国家点名APT29 - 与俄罗斯外交情报局（SVR）关联的威胁组织，是SolarWinds、Microsoft和HPE遭受攻击背后的实体 - 使用服务帐户和休眠帐户访问目标组织的云环境。

原文始发于微信公众号（知机安全）：网络安全机构发布警告：APT28的MooBot威胁