Ubiquiti Routers Hijacked in Russia-Linked Cyber Attack

Russian state-sponsored hackers have hijacked millions of Ubiquiti routers in a cyber attack that exploited vulnerabilities in the network 

A joint advisory released by the FBI in partnership with NSA, the U.S. Cyber Command, and international partners has warned that Russian military hackers, known as APT28 or Fancy Bear, are targeting popular Ubiquiti routers to build large networks of compromised devices, called botnets.

Hackers can use compromised routers to steal login credentials, passwords, and other sensitive data from connected devices.

The compromised routers can be used to mask the source of cyber attacks, making them harder to detect and trace back to the hackers.

What is APT28?

The group responsible for exploiting Ubiquiti routers, APT28 (also known as Fancy Bear), is a highly skilled cybercriminal group believed to be affiliated with the Russian military intelligence agency. 

APT28 has been active for over a decade, with their main targets including:

• Governments and political organizations: APT28 has been implicated in cyberattacks against government agencies, political campaigns, and international organizations.
• Businesses and critical infrastructure: They have also targeted energy companies, telecommunications providers, and other critical infrastructure sectors.
• Dissidents and activists: Individuals critical of the Russian government have frequently been targeted by APT28 for espionage and harassment.

APT28 is known for its highly sophisticated tactics, deploying a multi-pronged, incredibly effective approach:

• Social engineering: They may use phishing emails or other deceptive methods to trick individuals into revealing sensitive information or clicking on malicious links.
• Zero-day vulnerabilities: These are previously unknown software flaws that hackers exploit before software developers can patch them.
• Malware: They can install malicious software on compromised systems to steal data, maintain persistent access, or disrupt operations.

What is a Botnet?

A Botnet is a network of compromised devices, like home routers, controlled by a single attacker or criminal group

The cybercriminal can use the hijacked routers to access and steal login credentials, passwords, and other sensitive data from devices connected to the network.

The botnet can be used to launch coordinated attacks on other targets, such as websites or servers, overwhelming them with traffic and causing them to crash or become unavailable.

The compromised routers can be used as a proxy to mask the true source of cyberattacks, making it harder to track the attackers back to their origin.

Read: 3 Million Smart Toothbrushes Turned into Botnet for DDoS Attack

Ubiquiti Routers Botnet cyber attack

The FBI successfully shut down a network of compromised Ubiquiti EdgeRouters. These routers were initially infected with Moobot malware by independent cyber criminals, not directly linked to the Russian hacking group APT28

APT28 later hijacked this botnet and repurposed it. They used the compromised routers to build a global cyber espionage tool.

In their investigation, the FBI discovered APT28 tools and artefacts, including scripts for stealing webmail credentials, programs specifically crafted to collect sensitive data known as NTLMv2 digests and custom routing rules that automatically redirected users from phishing attempts to the attackers' infrastructure

How to protect your network

If your Ubiquiti router has been compromised by hackers, a simple reboot will not remove the malware. The FBI and its partners recommend these essential steps to secure your router:

• Perform a complete hardware factory reset of your router. This will wipe all existing settings and potentially flush file systems of malicious files.
• Install the latest firmware update provided by Ubiquiti. Updates often contain security patches that fix known vulnerabilities.
• Change the default usernames and passwords for both your router's management interface and your Wi-Fi network. Choose complex, unique passwords.
• Configure your router's firewall to block remote management access from outside your network. Restricting access lowers the chance of attackers exploiting your router.

The attack on Ubiquiti routers demonstrates how important it is to take proactive security measures. While the tactics employed by sophisticated groups like APT28 may seem complex, even simple steps can significantly enhance your network's security.

Regularly updating your router firmware and software, using strong, unique passwords, and being mindful of online scams can make a significant impact.