An anonymous reader cites a report from Ars Technica. The FBI and partners in 10 other countries are warning owners of Ubiquiti Edge routers of signs that their devices have been hacked or are being used to cover up ongoing malicious operations by Russian state hackers. I'm calling you to check if there are any. Ubiquiti EdgeRouter makes an ideal hiding place for hackers. This inexpensive device used in homes and small offices runs a version of Linux that can host malware that secretly runs behind the scenes. Hackers then use the router to perform malicious activities. Receives the green light from security defenses because the connection is made from an innocuous-looking device hosted by an address with a trustworthy reputation, rather than using infrastructure or IP addresses that are known to be hostile. can do.
“In summary, with root access to a compromised Ubiquiti EdgeRouter, APT28 attackers have free access to Linux-based operating systems to install tools and obfuscate identities while running malicious campaigns. ,” FBI officials said in Tuesday's advisory. APT28 — one of the groups used to track groups backed by the Russian General Staff Intelligence Directorate known as GRU — has been active for at least the past four years, the FBI claimed. Earlier this month, the FBI revealed that it had secretly removed Russian malware from routers in American homes and businesses. The operation was carried out with prior court permission and added firewall rules to prevent APT28 (also tracked under names such as Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit) from regaining control. . device.
On Tuesday, FBI officials noted that the operation only removed the malware used by APT28 and temporarily blocked reinfections by the group using its infrastructure. The move did not fix any vulnerabilities in routers or remove weak or default credentials that hackers could exploit to use devices again to secretly host malware. . “The U.S. Department of Justice and international partners, including the FBI, recently disrupted a GRU botnet comprised of such routers,” they warned. “However, owners of associated devices should take the remedial actions described below to ensure the long-term success of subversive operations and to identify and remediate similar breaches.”
These actions include:
– Factory reset your hardware to remove all malicious files
– Upgrade to the latest firmware version
– Change default username and password.
– Implement firewall rules to restrict external access to remote management services.