Cyber Threat Alert: APT28 Targets Ubiquiti Routers

U.S. federal agencies, along with their international counterparts, have issued an advisory urging users to be vigilant of the risks associated with using Ubiquiti EdgeRouter devices. This warning follows the dismantling of the MooBot botnet, which comprised compromised routers.

The MooBot botnet, as reported by these agencies, was employed by the APT28 hacker group to conduct covert cyber operations and disseminate specialized malware. APT28’s activities have been documented since 2007.

Volt Typhoon group

APT28 exploited hacked EdgeRouter devices globally for credential harvesting, traffic redirection, and phishing page creation. The attacks, initiated in 2022, impacted numerous sectors of critical infrastructure across several countries, including the Czech Republic, Italy, and the United States.

MooBot’s tactics involved hacking routers with weak passwords to install OpenSSH-based trojans. Once access was secured, APT28 used bash scripts and ELF binaries for data theft and phishing activities. Moreover, the group exploited a critical Microsoft Outlook vulnerability, CVE-2023-23397 (CVSS rating: 9.8), allowing for the theft of NTLM hashes and facilitating attacks without user interaction.

APT28’s arsenal included MASEPIE, a Python backdoor enabling command execution on victims’ computers using compromised Ubiquiti routers as a command and control (C2) infrastructure.

Agencies recommend organizations reset their routers to factory settings, update firmware, change passwords, and install firewalls to restrict remote access.

In July 2023, cybersecurity firm SSD Secure Disclosure alerted to a firmware vulnerability in Ubiquiti EdgeRouter and AirCube devices that allowed arbitrary code execution, which was addressed in subsequent updates. However, devices with outdated software remain vulnerable.

In February 2024, U.S. authorities dismantled the MooBot botnet, which was implicated in espionage and cyberattacks against American and international targets. The law enforcement operation conducted in January involved the removal of malware from “over a thousand” home and office routers.