In a recent advisory, cybersecurity and intelligence agencies from the United States and allied nations have alerted users of Ubiquiti EdgeRouters to strengthen their security measures. This advisory follows the disruption of a botnet named MooBot, which consisted of compromised routers and was dismantled by law enforcement during an operation called Dying Ember.
The MooBot botnet had reportedly been utilized by the Russian-affiliated threat group APT28 to conduct covert cyber operations and deploy tailored malware for later exploitation. APT28, connected to the Russian military intelligence agency GRU, has been active in cybersecurity incidents since at least 2007.
Authorities have indicated that APT28 has exploited compromised EdgeRouters on a global scale to gather credentials, collect NTLMv2 authentication hashes, proxy network traffic, and host phishing websites along with various malicious tools. The targeting of EdgeRouters by this group can be traced back to 2022, with attacks primarily focused on sectors including aerospace and defense, education, energy and utilities, government, hospitality, manufacturing, oil and gas, retail, technology, and transportation, across countries such as the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the U.A.E., and the U.S.
MooBot attacks typically involve targeting routers utilizing default or weak passwords to deploy OpenSSH trojans. APT28 gains access through these vulnerabilities to implement bash scripts and other ELF binaries, enabling the collection of credentials, proxying of network traffic, and hosting of phishing pages. Furthermore, malicious Python scripts are employed to extract account credentials from specific webmail users through methods like cross-site scripting and browser-in-the-browser (BitB) spear-phishing tactics.
Additionally, APT28 has been tied to the exploitation of CVE-2023-23397—a critical privilege escalation vulnerability in Microsoft Outlook, which had a CVSS score of 9.8. This flaw allowed attackers to steal NT LAN Manager (NTLM) hashes and execute relay attacks without requiring user interaction. The group also utilizes a Python backdoor, known as MASEPIE, that enables arbitrary command execution on infected systems, leveraging compromised Ubiquiti EdgeRouters as part of its command-and-control infrastructure.
With root access to these routers, APT28 operatives gain unrestricted control over Linux-based systems, allowing them to install malicious tools and obscure their identity during operations. In response to these threats, organizations are advised to perform a factory reset of the routers to eliminate any malicious files, upgrade to the latest firmware, change default credentials, and establish firewall rules to limit remote management exposure.
This emerging trend highlights that nation-state hackers are increasingly using routers as launching points for cyberattacks, similar to previous botnets like VPNFilter, Cyclops Blink, and KV-botnet. Such tactics underscore the sophistication of contemporary cyber threats, necessitating robust defenses in corporate environments.
This advisory arrives in conjunction with a call-out from the Five Eyes nations regarding APT29, another threat group connected to Russia’s Foreign Intelligence Service, recognized for their tactic of accessing cloud environments through service and dormant accounts. Business executives and IT professionals are therefore encouraged to remain vigilant and proactive in fortifying their cybersecurity posture against evolving threats.
