admin 2024年2月29日12:22:30评论29 views字数 3866阅读12分53秒阅读模式


In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember.

在一份新的联合咨询中,来自美国和其他国家的网络安全和情报机构敦促Ubiquiti EdgeRouter的用户采取保护措施,几周前,一个由感染的路由器组成的僵尸网络在一次代号为Dying Ember的行动中被执法部门击倒。

The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia's Main Directorate of the General Staff (GRU), is known to be active since at least 2007.


APT28 actors have "used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools," the authorities said [PDF].


The adversary's use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation sectors in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the U.A.E., and the U.S.


MooBot attacks entail targeting routers with default or weak credentials to deploy OpenSSH trojans, with APT28 acquiring this access to deliver bash script and other ELF binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling.


This includes Python scripts to upload account credentials belonging to specifically targeted webmail users, which are collected via cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.


APT28 has also been linked to the exploitation of CVE-2023-23397 (CVSS score: 9.8), a now-patched critical privilege escalation flaw in Microsoft Outlook that could enable the theft of NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

APT28还与利用Microsoft Outlook中现已修补的关键特权升级漏洞CVE-2023-23397(CVSS评分:9.8)相关联,该漏洞可能使NT LAN Manager(NTLM)哈希泄漏并发起继电攻击而无需任何用户交互。

Another tool in its malware arsenal is MASEPIE, a Python backdoor capable of executing arbitrary commands on victim machines utilizing compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure.

其恶意软件库中的另一个工具是MASEPIE,一个Python后门,能够利用受感染的Ubiquiti EdgeRouters作为命令与控制(C2)基础设施在受害机器上执行任意命令。

"With root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns," the agencies noted.

“拥有对受感染Ubiquiti EdgeRouters的根访问权限,APT28行动者可以无拘无束地访问基于Linux的操作系统以安装工具,并在进行恶意活动时掩盖其身份,”当局指出。

Organizations are recommended to perform a hardware factory reset of the routers to flush file systems of malicious files, upgrade to the latest firmware version, change default credentials, and implement firewall rules to prevent exposure of remote management services.


The revelations are a sign that nation-state hackers are increasingly using routers as a launchpad for attacks, using them to create botnets such as VPNFilter, Cyclops Blink, and KV-botnet and conduct their malicious activities.

这些揭示表明,国家黑客越来越多地将路由器作为攻击的发射台,利用它们创建僵尸网络,如VPNFilter、Cyclops Blink和KV-botnet,并进行恶意活动。

The bulletin arrives a day after the Five Eyes nations called out APT29 – the threat group affiliated with Russia's Foreign Intelligence Service (SVR) and the entity behind the attacks on SolarWinds, Microsoft, and HPE – for employing service accounts and dormant accounts to access cloud environments at target organizations.

此公告发布之日,五眼联盟国家点名APT29 - 与俄罗斯外交情报局(SVR)关联的威胁组织,是SolarWinds、Microsoft和HPE遭受攻击背后的实体 - 使用服务帐户和休眠帐户访问目标组织的云环境。


  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2024年2月29日12:22:30
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):


匿名网友 填写信息