Feds: Russia-Sponsored Attackers Exploit Ubiquiti Routers, Microsoft Outlook

Google’s Mandiant subsidiary and Microsoft Threat Intelligence contributed to the advisory.

A group of cybersecurity agencies warned of a Russia-sponsored group using Ubiquiti EdgeRouters to harvest credentials, host spear-phishing landing pages and conduct other malicious cyber operations – while also continuing to exploit an already-patched Microsoft Outlook vulnerability.

The joint statement published Tuesday by the FBI, National Security Agency (NSA), U.S. Cyber Command and international partners including the United Kingdom, South Korea and Brazil says that owners of compromised EdgeRouters should perform a hardware factory reset as part of protection efforts against attacks done by the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), using compromised EdgeRouters.

Google’s Mandiant subsidiary and Microsoft Threat Intelligence contributed to the advisory.

FBI Partners ID Ubiquiti EdgeRouter Attacks

CRN has reached out to Ubiquiti and Microsoft for comment.

Compromised EdgeRouter owners should upgrade to the latest firmware version, change any default usernames and passwords and implement strategic firewall rules on wide area network (WAN)-side interfaces, according to the advisory.

“Given the global popularity of EdgeRouters, the FBI and its international partners urge EdgeRouter network defenders and users to apply immediately the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents associated with APT28 activity,” according to the advisory.

The group seeking to exploit compromised EdgeRouters is also known as APT28, Fancy Bear, Forest Blizzard and Strontium.

The group has used compromised EdgeRouters as early as 2022 to conduct attacks against governments, militaries, education institutions, oil and gas companies, retailers and other types of organizations. Attacks have shown up in Ukraine, Jordan, Turkey, Italy and other countries worldwide, according to the advisory.

The GTsSS has accessed EdgeRouters compromised by Moobot, a botnet that installs OpenSSH trojans on the EdgeRouter hardware. The group also exploited the Microsoft Outlook vulnerability known as CVE-2023-23397 to collect authentication digests from targeted accounts.

Although Microsoft patched the vulnerability, “FBI investigation revealed APT28 actors have continued to exploit CVE-2023-23397 to leak NTLM digests to actor controlled infrastructure,” according to the advisory.

Publicly available tools such as Impacket ntlmrelayx.py and Responder have allowed the threat actors to use Ubiquiti routers to execute NTLM relay attacks and host rogue authentication servers, according to the advisory.

For those looking for indicators that their EdgeRouters are compromised, the FBI said that the threat actors’ custom Python scripts are usually stored alongside related log files in a user’s home directory. An FBI-created Yara rule can locate credential collection scripts on compromised EdgeRouters.

And defenders can query network traffic for connections with the application programming interface endpoint of api[.]anti-captcha[.]com, which automatically breaks captcha problems on webmail login pages, among other steps defenders can take to see if their routers are compromised, according to the advisory.

If you find evidence of GTsSS activity on a router, the FBI asks that you contact a local field office or the Internet Crime Complaint Center (IC3).