Summary:
Researchers at Trend Micro, report the botnet of hijacked Ubiquiti routers used by Russia-linked APT28 to conduct global espionage operations consists of more than just Ubiquiti devices. The group linked to Russia’s GRU, also tracked as Forest Blizzard and Pawn Storm had been using the network of small office/home office (SOHO) Ubiquiti Edge OS routers for years before the US dismantled it in January 2024. Despite this, the botnet encompassed other devices and harbored undetected malware, allowing APT28 to maintain access after the takedown.

The origins of this botnet trace back to 2016 when cybercriminals began infecting Ubiquiti routers with malware. However, it wasn't until April 2022 that APT28 gained control and started leveraging it for persistent cyberespionage campaigns. Trend Micro's investigation revealed a wide array of malicious activities orchestrated through these compromised routers. These activities included brute-forcing SSH, spamming, employing relay attacks, stealing credentials, acting as proxies, engaging in cryptocurrency mining, and launching spear-phishing campaigns.

Despite the FBI's efforts, some devices remained infected, likely due to legal limitations hindering a comprehensive cleanup. Moreover, operators of the botnet swiftly transitioned some bots to new command-and-control infrastructure shortly after the FBI's intervention. This move, coupled with the inclusion of Raspberry Pi and other Linux-based devices, as well as compromised datacenter IP addresses, underscored the resilience and adaptability of the botnet.


Security Officer Comments:
In addition to APT28, Trend Micro identified other threat actors exploiting these compromised devices. The Canadian Pharmacy gang and users of the Ngioweb malware were among those leveraging the botnet for malicious activities. The attackers utilized various techniques, such as deploying backdoors like SSHDoor and leveraging open-source software like MicroSocks, to maintain control and anonymity. Furthermore, some compromised routers were repurposed into residential proxy botnets, highlighting the multifaceted nature of the threats posed by these compromised devices. This complexity, coupled with the ongoing evolution of tactics by threat actors, emphasizes the challenges faced in combating such sophisticated cyber threats.


Suggested Corrections:

IOCs:
https://www.trendmicro.com/content/...ation-states-sharing-compromised-networks.txt

Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.

Link(s):
https://www.securityweek.com/botnet-disrupted-by-fbi-still-used-by-russian-spies-cybercriminals/

https://www.trendmicro.com/en_us/research/24/e/router-roulette.html