Priya PatelTLDR:
Key Points:
- Russian hackers, including APT28 (Fancy Bear), are actively hijacking Ubiquiti routers to perform proxy network attacks.
- APT28 has been exploiting routers since 2022, using tactics such as NTLM relay attacks and trojanized OpenSSH backdoors.
In a recent report, cybersecurity researchers from various agencies have uncovered that Russian hackers, specifically APT28 (Fancy Bear), are utilizing Ubiquiti routers to carry out proxy network attacks. These hackers target routers for credential theft, NTLMv2 digests, proxying, and spear-phishing. Despite efforts to disrupt the GRU botnet, device owners are urged to take immediate steps for continued protection.
The hackers have been accessing compromised routers through the Moobot botnet, utilizing zero-day vulnerabilities like CVE-2023-23397 to exploit NTLMv2 digests. APT28 has been leveraging Impacket ntlmrelayx.py and Responder for these attacks, operating covertly on Linux systems. To defend against these threats, the FBI recommends actions such as factory resetting routers, updating firmware, and changing default credentials.
