Joint Warning Issued on Russian Cyber Actors Exploiting Ubiquiti EdgeRouters
In a combined effort, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), US Cyber Command, and their international partners have issued a Cybersecurity Advisory (CSA) warning that Russian state-sponsored cyber actors, specifically APT28 (also known as Fancy Bear, Forest Blizzard, and Strontium), are actively exploiting critical vulnerabilities in Ubiquiti EdgeRouters. These compromised routers have been used globally to:
- Steal credentials: APT28 gains access to sensitive login information.
- Proxy network traffic: They can mask their online activities by redirecting internet traffic through the compromised routers.
- Host malicious content: Fake websites and custom exploitation tools are deployed to further their attacks.
- Gain Unfettered Access: Once compromised, the routers can provide APT28 with complete control over Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns. This allows them to:
- Install additional malicious tools: They equip the compromised routers with additional malware for further exploitation.
- Hide their activities: By manipulating the system, they can make it harder to detect their presence.
Although a recent joint operation by the US DOJ, FBI, and international partners disrupted a network of compromised routers controlled by APT28, the threat remains.
Targeted Industries: Organizations across various sectors have been targeted, including:
- Aerospace & Defense
- Education
- Energy & Utilities
- Governments and Militaries
- Hospitality
- Manufacturing
- Oil & Gas
- Retail
- Technology
- Healthcare
- Transportation
Call to Action: Large enterprises defend themselves against these attacks by leveraging advanced solutions that continuously monitor both on-premise and cloud environments, gathering and analyzing data in real-time with integrated threat intelligence for a powerful defense. Although effective, these advanced solutions often are not available to mid-market enterprises because of high costs.
We have created CloudJacket, a unified cybersecurity solution with the same advanced security features used by Fortune 500 companies, but affordable for everyone. CloudJacket shields businesses of all sizes from the aftermath of attacks highlighted in this Security Alert. Act now to safeguard your organization. Go to https://www.secnap.com/cloudjacket/.
The CSA Advisory is located here: https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF