Network Security

Russian Hackers Hijack Ubiquiti Routers To Proxy Network

Threat actors hijack routers to gain unauthorized access to network traffic. This enables them to monitor, manipulate, or intercept sensitive information. 

Besides this, various malicious activities also become easy to execute, such as eavesdropping, data theft, and many more.

Cybersecurity researchers at the FBI, NSA, US Cyber Command, and international partners – including authorities from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom recently unveiled that Russian hackers (APT28, Fancy Bear, and Forest Blizzard (Strontium)) are actively hijacking the Ubiquiti routers to perform the proxy network attacks.

While all the necessary security measures were taken to disrupt the GRU botnet, device owners were still urged to take necessary steps for lasting protection.

Hackers Hijack Ubiquiti Routers

Threat actors behind APT28 (Fancy Bear) target the routers for credential theft, NTLMv2 digests, proxying, and spear-phishing.

Though all the necessary security measures were taken to disrupt the GRU botnet, device owners were still urged to take necessary steps for lasting protection.

This advisory offers tactics, indicators, and recommendations against APT28’s EdgeRouter threat. Users are urged to apply mitigation steps immediately.

EdgeRouters are favored by both users and hackers due to a lack of default security measures and auto-updates.

Since 2022, APT28 used hacked EdgeRouters for global cyber operations. However, the FBI found APT28 accessed routers compromised by the Moobot botnet, housing Bash scripts and ELF binaries exploiting OpenSSH backdoors.

An FBI probe found APT28 used a zero-day (CVE-2023-23397) from 2022 to gather NTLMv2 digests from Outlook. Despite Microsoft’s patch, APT28 continued exploiting it to leak digests. 

They used Impacket and Responder on hacked Ubiquiti routers for NTLM relay attacks and rogue authentication servers. With router access, the APT28 operates covertly on Linux systems for malicious actions.

FBI shares Moobot OpenSSH trojan and APT28 IOCs on EdgeRouters, as this CSA helps users check for impacts. APT28 used default credentials and trojanized OpenSSH to breach routers. 

Moobot is a Mirai-based botnet that infects IoT devices via weak passwords. APT28 replaced legitimate binaries with trojanized ones, allowing bypassing authentication.

For malicious files on EdgeRouters, make sure to check Bash histories for downloads from packinstall[.]kozow[.]com, then inspect network traffic to this domain and refer to the provided file hash table. 

Besides this, the presence of /usr/lib/libu.a/ suggests a likely infection.

OpenSSH trojan on EdgeRouters adds malicious users systemd and systemx, modifies /etc/resolv.conf, and introduces a deceptive user-land process named .kworker. 

Here, the defenders can check for connections to FBI-identified domains and look for HTTP beacons following a specified form.

Here below we have mentioned all the domains that are identified:-

  • matbaiteahe[.]mooo[.]com
  • lalapoc[.]kozow[.]com
  • gneivaientga[.]ignorelist[.]com
  • antotehlant[.]theworkpc[.]com
  • onechoice[.]gleeze[.]com
  • mumucnc[.]kozow[.]com


Rebooting won’t remove the EdgeRouter malware, and due to this issue, the FBI advised to follow the mitigations provided by the security experts:-

  • Factory reset
  • Update firmware
  • Change default credentials
  • Set WAN-side firewall rules
  • Update the Outlook
  • Disable NTLM or enable server signing for NTLM relay defense.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server

Volkswagen, one of the world's leading automotive manufacturers, has fallen victim to a sophisticated hacking…

4 hours ago

Beware Of Fake MetaMask Android Apps That Steal Login Details

Threat actors exploit fake Android apps primarily for illicit reasons, such as stealing sensitive and…

6 hours ago

CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows…

6 hours ago

IBM QRadar XSS Flaw Let Attackers Arbitrary JavaScript Code

A significant vulnerability was detected in IBM QRadar Suite Software and Cloud Pak for Security,…

6 hours ago

Seedworm Hackers Exploit RMM Tools to Deliver Malware

The notorious hacking group Seedworm, also known as MuddyWater, has been found exploiting legitimate remote…

6 hours ago

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting over 10,000 active…

7 hours ago