DOJ Disrupts Russian Botnet Created Using Unchanged Admin Credentials

The US Justice Department conducted a court-authorized operation in January that thwarted an on-going Russian GRU botnet campaign that used unchanged publicly known default administrator passwords to gain control of hundreds of Ubiquiti Edge OS routers. This activity once again shows how implementing basic cyber hygiene can protect an organization from even the most sophisticated threat actors.

The DOJ reported that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, created and used the botnet to conduct spearphishing and credential harvesting campaigns against intelligence targets of interest to the Russian government, such as US and foreign governments and military, security, and corporate organizations.

The GRU Military Unit 26165 operation is proof of the inherent danger involved when IT teams fail to change the admin credentials of network and IoT devices.

“The GRU relied on the “Moobot” malware, which is associated with a known criminal group. Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the DOJ said.

US government cyber defenders used Moobot against the attacker by having the malware copy and delete stolen and malicious data and files from compromised routers. Additionally, to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.

Lock The Door!

Leaving admin credentials unchanged is equivalent to leaving a door unlocked in a neighborhood known for its crime.

Known admin credentials are one of the most straightforward methods for threat actors to infiltrate an organization as these default credentials are often widely known and accessible to malicious actors through the Dark Web or even a conventional Internet search. Conducting an audit of your organization’s devices and ensuring they all have fresh passwords is of paramount importance.

In addition to finding the admin credentials online, threat actors use a variety of methods to find this information.

As a reminder that there are other methods threat actors use to gain credentials.

• Phishing attacks typically involve sending an email or message that appears to be from a legitimate source. The email requests the user enter their login credentials into a site the threat group controls thus giving them the credentials or open what is likely a malicious attachment that could host credential stealing malware.
• To protect against phishing attacks, always be cautious of emails or messages that ask you to open attachments, follow web links, or enter your login credentials.
• Social engineering involves using psychological manipulation to trick users into divulging sensitive information. A cybercriminal may call a user and pretend to be from IT. They will ask for a screen share and use the access to install keylogging software or other malware designed to harvest credentials.

To protect yourself from social engineering attacks, you should always be cautious of requests for sensitive information, particularly if they are unsolicited. It would be best if you were also wary of any request to gain access to your computer without verifying the request through authorized channels.

Credential Stuffing is a type of cyberattack where attackers use a large database of compromised login credentials, such as the  cache, containing usernames and passwords. The technique involves the automated input of these credentials into login pages to gain access to a user's account. This technique is made possible by the widespread use of weak or reused passwords across multiple online accounts.

A brute-force attack tries to crack a password by guessing every possible combination until it finds the correct one. To prevent brute-force attacks, users should ensure that their passwords are strong and complex, with a mix of uppercase and lowercase letters, numbers, and special characters. Organizations should also implement policies that require regular password changes and limit the number of failed login attempts.

Additionally, the FBI advises any organization victimized by this attack to conduct the following remediation steps:

1. Perform a hardware factory reset to flush the file systems of malicious files;
2. Upgrade to the latest firmware version;
3. Change any default usernames and passwords; and
4. Implement strategic firewall rules to prevent the unwanted exposure of remote management services.

Let Trustwave Help

Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave, with our Managed Detection and Response (MDR) solution, may provide the answer. 

Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers. 

Finally, stopping phishing at the source is the best policy, and this can be accomplished with an email security solution like Trustwave MailMarshal.