“The US Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers,” they warned. “However, owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises.”
Those actions include:
- Perform a hardware factory reset to remove all malicious files
- Upgrade to the latest firmware version
- Change any default usernames and passwords
- Implement firewall rules to restrict outside access to remote management services.
Tuesday’s advisory said that APT28 has been using the infected routers since at least 2022 to facilitate covert operations against governments, militaries, and organizations around the world, including in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the US. Besides government bodies, industries targeted include aerospace and defense, education, energy and utilities, hospitality, manufacturing, oil and gas, retail, technology, and transportation. APT28 has also targeted individuals in Ukraine.
The Russian hackers gained control of devices after they were already infected with Moobot, which is botnet malware used by financially motivated threat actors not affiliated with the GRU. These threat actors installed Moobot after first exploiting publicly known default administrator credentials that hadn’t been removed from the devices by the people who owned them. APT28 then used the Moobot malware to install custom scripts and malware that turned the botnet into a global cyber espionage platform.
Covert proxies
APT28 has used the routers to collect credentials and proxy malicious traffic, and host spoofed landing pages and custom post-exploit malware. Last year, for instance, the group created Python scripts in attacks for collecting account credentials for webmail accounts of interest. A year earlier, APT28 used the routers to exploit CVE-2023-23397, a critical zero-day in Microsoft’s Outlook email app that allowed the group to harvest cryptographic hashes that gave access to user accounts. Microsoft released a patch, but APT28 has continued to exploit the vulnerability against targets who have yet to install it. These ongoing attacks use publicly available tools with names, including Impacket ntlmrelayx.py and Responder, to execute attacks and to host rogue authentication servers.
