Fancy Bear sniffs out Ubiquiti router users

/in


The American authorities have warned users of Ubiquiti’s EdgeRouter products that they may be at risk of being targeted by the Russian state threat actor Fancy Bear, also known as APT28 and Forest Blizzard/Strontium.

In a coordinated advisory, to which partner agencies including the UK’s National Cyber Security Centre (NCSC) and counterparts in Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland and South Korea also put their signatures, the FBI, National Security Agency (NSA) and US Cyber Command urged users of the affected products to be on their guard.

Fancy Bear, and Forest Blizzard (Strontium), have used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear phishing landing pages and custom tools,” read the advisory.

Users of EdgeRouters have been told to perform a factory reset, upgrade to the latest firmware version, change default usernames and credentials, and implement strategic firewall rules on WAN-side interfaces.

Ubiquiti EdgeRouters have become popular among users and threat actors alike thanks to a user-friendly, Linux-based operating system. Unfortunately, they also contain two highly dangerous flaws – the devices often ship with default credentials and have limited firewall protections, and they do not automatically update their firmware unless the user has configured them to do so.

Fancy Bear is using compromised routers to harvest victim credentials, collect digests, proxy network traffic and host spear phishing landing pages and other custom tools. Targets of the operation include academic and research institutions, embassies, defence contractors and political parties, located in multiple countries of interest to Russian intelligence, including Ukraine.

“No part of a system is immune to threats,” said NSA cyber security director Rob Joyce. “As we have seen, adversaries have exploited vulnerabilities in servers, in software, in devices that connect to systems, in user credentials, in any number of ways. Now, we see Russian state-sponsored cyber actors abusing compromised routers and we are joining this CSA to provide mitigation recommendations.”

Dan Black,…

Source…