Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat

A joint advisory from cybersecurity and intelligence agencies highlight the MooBot threat targeting users of Ubiquiti EdgeRouters. This botnet, orchestrated by Russia’s APT28, has been operational since at least 2022 and has been employed in various cyber operations globally. APT28, known for its affiliation with Russia’s Main Directorate of the General Staff, has been active since 2007 and is notorious for its sophisticated cyber campaigns.

MooBot’s modus operandi involves exploiting routers with default or weak credentials to deploy OpenSSH trojans, enabling APT 28 to execute various malicious activities such as credential harvesting, proxying network traffic, and hosting phishing pages. The botnet has particularly targeted critical sectors, including aerospace, defense, energy, government, hospitality, manufacturing, and transportation across multiple countries including the U.S., Italy, Poland, and Ukraine.

Security Officer Comments:
One of MooBot’s notable tactics is the use of Python scripts for uploading account credentials obtained through cross-site scripting and spear-phishing campaigns. Moreover, it exploits vulnerabilities such as CVE-2023-23397 to escalate privilege's and launch relay attacks without user interaction, thereby facilitating the theft of NTLM hashes.

In addition to its sophisticated toolset, MooBot leverages compromised Ubiquiti EdgeRouters as a C2 infrastructure using a Python backdoor known as MASEPIE. This grants APT28 unfettered access to victim machines, allowing them to execute arbitrary commands and obfuscate their identity while conducting malicious campaigns.

Suggested Corrections:
Rebooting a compromised EdgeRouter will not remove the existing malware of concern, if present. The FBI and its partners recommend the following steps be taken to remediate compromised EdgeRouters:

  1. Perform a hardware factory reset to flush file systems of malicious files,
  2. Upgrade to the latest firmware version,
  3. Change any default usernames and passwords, and
  4. Implement strategic firewall rules on WAN-side interfaces to prevent the unwanted exposure of remote management services.

Additionally, all network owners should keep their operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. For CVE-2023-23397, updating Microsoft Outlook mitigates the vulnerability. To mitigate other forms of NTLM relay, all network owners should consider disabling NTLM when feasible, or enabling server signing and Extended Protection for Authentication configurations. Further, for longer term mitigations, network owners should prioritize only using routers and other equipment incorporating secure-by-design principles that eliminate default passwords and SOHO router defects.