Source: securityboulevard.com – Author: Richi Jennings
Fancy Bear still hacking ubiquitous gear, despite patch availability.
Ubiquiti’s EdgeRouter ships with its config open to the internet and default credentials. The feds are telling everyone to secure their boxes and look for indications of compromise.
Ubiquiti, on the other hand, simply issued a broken patch. In today’s SB Blogwatch, we put the “quit” in Ubiquiti.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Om nom no.
GRU APT28 is Back Again
What’s the craic? Sergiu Gatlan reports—“Russian hackers hijack Ubiquiti routers”:
“Hacked EdgeRouters”
Military Unit 26165 cyberspies, part of Russia’s Main Intelligence Directorate of the General Staff (GRU) … are using these hijacked and very popular routers to build extensive botnets that help them steal credentials, collect NTLMv2 digests, and proxy malicious traffic. They’re also used to host custom tools and phishing landing pages throughout covert cyber operations targeting militaries, governments, and other organizations worldwide.
…
[So] the FBI says in a joint advisory issued with the NSA, the U.S. Cyber Command, and international partners. … The FBI is seeking information on APT28 activity on hacked EdgeRouters to prevent further use of these techniques and hold those responsible accountable. You should report any suspicious or criminal activities related to these attacks to your local FBI field office or the FBI’s Internet Crime Complaint Center.
Déjà vu? Lindsey O’Donnell-Welch explains why—“TTPs and IoCs for APT28”:
“CVE-2023-23397”
The advisory comes two weeks after the U.S. government announced that in January it had disrupted a botnet that was being used by … APT28. Law enforcement was able to neutralize the malware network made up of hundreds of Ubiquiti routers — but despite this disruption, the FBI this week said that device owners should still take remediation steps to prevent similar compromises.
…
As early as 2022 … threat actors used default credentials and Trojanized OpenSSH server processes in order to access the routers, which they then leveraged to collect credentials, proxy network traffic, and host malicious landing pages. They also leveraged various custom post-exploitation tools, including a Python backdoor … capable of executing arbitrary commands. [They also] targeted zero-day vulnerabilities, including … CVE-2023-23397, which they leveraged to collect NTLMv2 digests from targeted Outlook accounts, [and] installed publicly available tools … to assist with NTLM relay attacks.
Horse’s mouth? FBI IC3—“Russian Cyber Actors Use Compromised Routers”:
“Default credentials”
The U.S. Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers. However, owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises.
…
Ubiquiti EdgeRouters … are often shipped with default credentials and limited to no firewall protections. … Additionally, EdgeRouters do not automatically update firmware unless a consumer configures them to do so. … Rebooting a compromised EdgeRouter will not remove the existing malware.
Wait. Pause. Did you say “default credentials”??? sbradford26 waxes apoplectic:
Now that is half on users and half on Ubiquiti since you can’t allow default credentials to remain unless they are properly randomized. Ubiquiti has updated their software so when you configure an EdgeRouter, it requires that you change the default login.
And no firmware updates? Alas, poor Yorick Hunt knows it well: [You’re fired—Ed.]
Ubiquiti used to be my go-to source for smaller SMBs: They had very efficient and cost-effective hardware, and a development team who was always on the ball.
But no more — they’ve jumped aboard the “profit is king” train, lost their most devout and knowledgeable technical staff, and are … expecting customers to simply replace their hardware every couple of years. When a product which just went EOL last year hasn’t received a firmware update in almost seven years, you get a rather foul taste in your mouth that makes you look elsewhere. … Unlike a decade ago, Ubiquiti is far from the only player in that segment.
This is true. Bert64 agrees:
There are lots of vendors churning out cheap garbage, often based on the same physical chipsets but with their own hacked together firmware. … Typically once deployed they never provide any firmware updates at all, and these devices might run for 10+ years unless the user chooses to replace them.
…
They would be much better off just shipping the cheap generic hardware with OpenWRT, at least then they could be easily updated if a problem is found, and the OpenWRT developers are a lot more vigilant than whoever kludges together [the] firmware.
How could this happen? adespoton asks the big questions:
Why are there still routers being made … that have:
a) default access credentials, and
b) a default interface accessible from outside the LAN?
ELI5? markdavis explains like we’re five:
A properly designed router/firewall will not allow installation without forcing the user to change the root/admin password to something not the default, first. It should have been designed that way from the start, and most of this stuff would not have happened.
This is an old problem that I thought had been mostly fixed.
Meanwhile, Zola amps up the criticism:
Ubiquiti did release an update to address … default credentials. But unfortunately, and entirely predictably (as it’s Ubiquiti), it too showed a spectacular level of incompetence, … which made the protection entirely useless.
…
The first boot “change password” dialog [could] be dismissed with a press of the Escape button. … Either this was incompetence from the development team (although any developer with half a brain cell would have realised [it] was total nonsense), or the changes were specified by a lawyer who was only interested in doing the absolute minimum to cover the companies ****.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2024/02/fbi-ubiquiti-edgerouter-apt28-richixbw/
Category & Tags: Analytics & Intelligence,Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,Editorial Calendar,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,IoT & ICS Security,Malware,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing the Cloud,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Software Supply Chain Security,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,APT28,Botnet disruption,Botnet Takedown,botnets,CVE-2023-23397,EdgeRouter,Fancy Bear,FBI warning,GRU,IC3,IC3.gov,Military Unit 26165,nsa,NSA/CISA,NTLM,NTLM Authentication,NTLM hash,NTLM leak,ntlm relay,Russia,russia hacker,russia-based,russian,Russian Cyber Interests,Russian Cyber War,SB Blogwatch,Ubiquiti,Ubiquiti breach,Ubiquiti Inc.,Ubiquiti Networks,US FBI – Analytics & Intelligence,Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,Editorial Calendar,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,IoT & ICS Security,Malware,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing the Cloud,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Software Supply Chain Security,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,APT28,Botnet disruption,Botnet Takedown,botnets,CVE-2023-23397,EdgeRouter,Fancy Bear,FBI warning,GRU,IC3,IC3.gov,Military Unit 26165,nsa,NSA/CISA,NTLM,NTLM Authentication,NTLM hash,NTLM leak,ntlm relay,Russia,russia hacker,russia-based,russian,Russian Cyber Interests,Russian Cyber War,SB Blogwatch,Ubiquiti,Ubiquiti breach,Ubiquiti Inc.,Ubiquiti Networks,US FBI
Views: 0
