Cyberwarfare/State Attacks, Endpoint Security, Fraud Management and Cybercrime
APT28 used a hacked Ubiquiti router in a hashed password relay attack
David Perera (@daveperera) •
February 27, 2024
A campaign by Russian military intelligence to turn Ubiquiti routers into a platform for global cyberespionage began as early as 2022, according to U.S. and foreign intelligence agencies.
Related item: User entity and behavior analysis 101: Strategies for detecting anomalous security behavior
Earlier this month, the U.S. federal government disrupted a botnet made up of hundreds of Ubiquiti routers by a hacking unit of Russia’s Military Intelligence Directorate known as GRU. Moscow threat actors known as APT28, Fancy Bear, Forest Blizzard, or Strontium used infected routers located in the United States as proxies for hacking operations (see below). US disrupts Russian military intelligence botnet).
In an advisory released by the FBI on Tuesday, domestic and international intelligence agencies said the hackers behind the campaign installed protocol poisoning tools on compromised routers to carry out NTLM relay attacks. This attack exploited Microsoft’s March 2023 patched zero-day. The vulnerability, tracked as CVE-2023-23397, allowed a hacker to trick Windows into sending a hashed password by sending a past Microsoft Outlook appointment request that included a sound parameter. . If the appointment has passed, the email should be played to his client. But rather than playing a hilarious sound effect, this parameter allowed the hacker to obtain the victim’s login name and password hash and reuse it.
Microsoft has released multiple fixes for the vulnerability, but FBI agents said they found unpatched systems that Russian hackers were able to hack into.
Russian hackers targeted numerous industries, including defense, oil and gas, technology, government, and manufacturing, in a number of countries including Ukraine, Poland, Lithuania, Turkey, and the Czech Republic.
The FBI believes the APT28 hackers took advantage of a criminal botnet called Moobot that had already infected some Ubiquiti routers. The New York router maker did not respond to requests for comment.
Dan Black, a cyber espionage analyst at threat intelligence firm Mandiant, said the use of hacked routers by Russian hackers is a hallmark of Kremlin hacks and Chinese state hacks. “They use them to proxy traffic to and from targeted networks while flying under the radar,” he said.
The advisory warns that restarting a compromised Ubiquiti router will not remove the Russian malware. Rather, the system administrator should perform a hard reset and upgrade to the latest firmware.
