CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

DOJ Disrupts Russian Botnet Created Using Unchanged Admin Credentials

The US Justice Department conducted a court-authorized operation in January that thwarted an on-going Russian GRU botnet campaign that used unchanged publicly known default administrator passwords to gain control of hundreds of Ubiquiti Edge OS routers. This activity once again shows how implementing basic cyber hygiene can protect an organization from even the most sophisticated threat actors.

The DOJ reported that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, created and used the botnet to conduct spearphishing and credential harvesting campaigns against intelligence targets of interest to the Russian government, such as US and foreign governments and military, security, and corporate organizations.

The GRU Military Unit 26165 operation is proof of the inherent danger involved when IT teams fail to change the admin credentials of network and IoT devices.

“The GRU relied on the “Moobot” malware, which is associated with a known criminal group. Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the DOJ said.

US government cyber defenders used Moobot against the attacker by having the malware copy and delete stolen and malicious data and files from compromised routers. Additionally, to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.

 

Lock The Door!

Leaving admin credentials unchanged is equivalent to leaving a door unlocked in a neighborhood known for its crime.

Known admin credentials are one of the most straightforward methods for threat actors to infiltrate an organization as these default credentials are often widely known and accessible to malicious actors through the Dark Web or even a conventional Internet search. Conducting an audit of your organization’s devices and ensuring they all have fresh passwords is of paramount importance.

In addition to finding the admin credentials online, threat actors use a variety of methods to find this information.

As a reminder that there are other methods threat actors use to gain credentials.

  • Phishing attacks typically involve sending an email or message that appears to be from a legitimate source. The email requests the user enter their login credentials into a site the threat group controls thus giving them the credentials or open what is likely a malicious attachment that could host credential stealing malware.
  • To protect against phishing attacks, always be cautious of emails or messages that ask you to open attachments, follow web links, or enter your login credentials.
  • Social engineering involves using psychological manipulation to trick users into divulging sensitive information. A cybercriminal may call a user and pretend to be from IT. They will ask for a screen share and use the access to install keylogging software or other malware designed to harvest credentials.

To protect yourself from social engineering attacks, you should always be cautious of requests for sensitive information, particularly if they are unsolicited. It would be best if you were also wary of any request to gain access to your computer without verifying the request through authorized channels.

Credential Stuffing is a type of cyberattack where attackers use a large database of compromised login credentials, such as the  cache, containing usernames and passwords. The technique involves the automated input of these credentials into login pages to gain access to a user's account. This technique is made possible by the widespread use of weak or reused passwords across multiple online accounts.

A brute-force attack tries to crack a password by guessing every possible combination until it finds the correct one. To prevent brute-force attacks, users should ensure that their passwords are strong and complex, with a mix of uppercase and lowercase letters, numbers, and special characters. Organizations should also implement policies that require regular password changes and limit the number of failed login attempts.

Additionally, the FBI advises any organization victimized by this attack to conduct the following remediation steps:

  1. Perform a hardware factory reset to flush the file systems of malicious files;
  2. Upgrade to the latest firmware version;
  3. Change any default usernames and passwords; and
  4. Implement strategic firewall rules to prevent the unwanted exposure of remote management services.

 

Let Trustwave Help

Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave, with our Managed Detection and Response (MDR) solution, may provide the answer. 

Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers. 

Finally, stopping phishing at the source is the best policy, and this can be accomplished with an email security solution like Trustwave MailMarshal.

 

Latest Trustwave Blogs

Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense

Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect...

Read More

Behind the Scenes of the Change Healthcare Ransomware Attack Cyber Gang Dispute

Editor’s Note – The situation with the Change Healthcare cyberattack is changing frequently. The information in this blog is current as of April 16. We will update the blog as needed. April 16, 2024:...

Read More

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More