Hijacked Ubiquiti EdgeRouters were reported by the FBI, National Security Agency, U.S. Cyber Command, and other law enforcement agencies around the world to have been exploited by Russian state-sponsored threat operation APT28, also known as Unit 26165 and Fancy Bear, to establish botnets for global cyberattacks, according to BleepingComputer.
Such botnets were leveraged not only to facilitate credential theft and NTLMv2 digest exfiltration but also to enable malicious traffic proxying and phishing page and custom tool hosting efforts, the joint cybersecurity advisory revealed. Organizations have been urged to conduct hardware factory resets, firmware upgrades, and default credential replacements, as well as adopt strategic firewall rules on WAN-side interfaces to prevent infiltration of hacked Ubiquiti routers. Such a development comes weeks after a Ubiquiti router botnet with the Moobot malware that had been repurposed by APT28 was dismantled by the FBI. APT28 was previously linked to attacks against the Democratic National Committee before the 2016 U.S. Presidential Election and the German Federal Parliament.