The US government is pleading with organizations and customers to clean devices to aid in the disruption effort two weeks after dismantling a botnet of Ubiquiti routers. These routers were used by a Russian advanced persistent threat (APT) actor as a means of conducting global cyberespionage campaigns.
Cybercriminals infected hundreds of small office/home office (SOHO) routers from Ubiquiti with the ‘Moobot’ malware after being caught in a botnet. Control of the infected routers was given to the Russian cyberespionage group APT28. This cyberespionage group has been linked to the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). APT28 has been using compromised routers for its covert operations since 2022. These operations have targeted aerospace, oil and gas, technology, energy, and government sectors. APT28 also has targeted a myriad of organizations in Europe, the Middle East, and the US. According to a joint advisory, APT28 used the compromised routers to collect credentials, create spoofed landing pages, and proxy network traffic. This advisory also shares indicators of compromise (IoCs) for companies to utilize when identifying signs of infection. This was supplemented by mitigation recommendations as well as remedial actions to continue to disrupt APT28’s success.
Read more:
https://www.securityweek.com/us-government-urges-cleanup-of-routers-infected-by-russias-apt28/