Cyber Security News

Hackers Use Compromised Routers to Attack Government Organizations

Attackers continue to use compromised routers as malicious infrastructure to target government organizations in Europe and the Caucasus region.

APT28 threat actors (also known as Sofacy, Fancy Bear, etc.) were behind this malicious espionage effort, according to the Ukrainian government’s computer emergency and incident response team (CERT-UA).

By tricking users into visiting a remote HTML page and opening a Windows shortcut, the malicious campaign used spear-phishing to distribute credential stealer (STEELHOOK), remote execution tools (MASEPIE, OCEANMAP), and a publicly accessible reconnaissance and credentials harvesting tool (Impacket).

“We believe with high confidence that the malicious infrastructure leveraged in this campaign is notably (and likely mainly) built from legitimate compromised Ubiquiti network devices,” HarfangLab shared with Cyber Security News.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

How is the Attack Executed?

The threat actor delivered phishing emails to the designated individuals using previously hacked email accounts. The links in the phishing emails led to malicious webpages that tricked the targets into clicking a button to display a document by showing them a blurry preview.

Blurred document on a malicious Web page

The following titles were shown in the documents’ images that may be obtained from such malicious websites:

  • Official Information of Azerbaijan Defense Ministry;
  • Holidays and Observances in Ukraine 2024;
  • KFP.311.152.2023 (from “Pañstwowe Gospodarstwo Wodne Wody Polskie,” the Polish national water administration);
  • “Рекомендації робочих груп експертів до Стратегії освіти і науки України” (in Ukrainian, can be approximately translated to “Recommendations of experts working group about the education and science strategy of Ukraine).

The targets were shown a legitimate Windows Explorer window after clicking on a link in a phishing email and landing page. This window often included an LNK file that was disguised as a document (by utilizing a document icon and a double-extension).

If the target clicked on the displayed LNK, a malicious payload script (MASEPIE) and a Python interpreter would download and run, displaying a fake document.

A malicious Python script called MASEPIE allows for basic remote command execution and file sharing with compromised systems. It is first launched upon the click of a malicious LNK in the infection chain.

ONCEANMAP is a malicious C#.NET program that uses email as a C2 channel. It enables remote command execution on targeted computers. Researchers are unable to establish a connection between OCEANMAP and the mentioned campaign. It is believed, therefore, that a binary like this would have been used as a second stage of a MASEPIE infection.

It is discovered that Ubiquiti network devices are being utilized as reverse proxies, command and control servers, and malicious infrastructure to stage infection files.

Researchers conclude with medium to high confidence that this campaign is being carried out to further Russian goals, while non-state and/or non-Russian groups may still be in charge.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

10 Best Linux Firewalls In 2024

At present, many computers are connected via numerous networks. Monitoring all traffic and having something…

21 mins ago

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

9 hours ago

Beware of Free VPNs that Install Malicious Botnets

Virtual Private Networks (VPNs) have become essential tools for internet users. However, the allure of…

13 hours ago

HPE Critical 3PAR Processor Flaw Let Remote Attackers Bypass Authentication

Hewlett Packard Enterprise (HPE) has addressed a critical vulnerability in its 3PAR Service Processor software…

16 hours ago

Chrome Security Update: Patch for Multiple Flaws that Leads to Remote Code Execution

Google has announced the release of Chrome 126, a critical security update that addresses 10…

17 hours ago

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop

A recent update to the CrowdStrike Falcon sensor is causing major issues for Windows users…

18 hours ago