DOJ Disrupts Russian Botnet Created Using Unchanged Admin Credentials
2024-2-17 04:40:19 Author: www.trustwave.com(查看原文) 阅读量:11 收藏

The US Justice Department conducted a court-authorized operation in January that thwarted an on-going Russian GRU botnet campaign that used unchanged publicly known default administrator passwords to gain control of hundreds of Ubiquiti Edge OS routers. This activity once again shows how implementing basic cyber hygiene can protect an organization from even the most sophisticated threat actors.

The DOJ reported that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, created and used the botnet to conduct spearphishing and credential harvesting campaigns against intelligence targets of interest to the Russian government, such as US and foreign governments and military, security, and corporate organizations.

The GRU Military Unit 26165 operation is proof of the inherent danger involved when IT teams fail to change the admin credentials of network and IoT devices.

“The GRU relied on the “Moobot” malware, which is associated with a known criminal group. Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform,” the DOJ said.

US government cyber defenders used Moobot against the attacker by having the malware copy and delete stolen and malicious data and files from compromised routers. Additionally, to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.

Lock The Door!

Leaving admin credentials unchanged is equivalent to leaving a door unlocked in a neighborhood known for its crime.

Known admin credentials are one of the most straightforward methods for threat actors to infiltrate an organization as these default credentials are often widely known and accessible to malicious actors through the Dark Web or even a conventional Internet search. Conducting an audit of your organization’s devices and ensuring they all have fresh passwords is of paramount importance.

In addition to finding the admin credentials online, threat actors use a variety of methods to find this information.

As a reminder that there are other methods threat actors use to gain credentials.

  • Phishing attacks typically involve sending an email or message that appears to be from a legitimate source. The email requests the user enter their login credentials into a site the threat group controls thus giving them the credentials or open what is likely a malicious attachment that could host credential stealing malware.
  • To protect against phishing attacks, always be cautious of emails or messages that ask you to open attachments, follow web links, or enter your login credentials.
  • Social engineering involves using psychological manipulation to trick users into divulging sensitive information. A cybercriminal may call a user and pretend to be from IT. They will ask for a screen share and use the access to install keylogging software or other malware designed to harvest credentials.

To protect yourself from social engineering attacks, you should always be cautious of requests for sensitive information, particularly if they are unsolicited. It would be best if you were also wary of any request to gain access to your computer without verifying the request through authorized channels.

Credential Stuffing is a type of cyberattack where attackers use a large database of compromised login credentials, such as the  cache, containing usernames and passwords. The technique involves the automated input of these credentials into login pages to gain access to a user's account. This technique is made possible by the widespread use of weak or reused passwords across multiple online accounts.

A brute-force attack tries to crack a password by guessing every possible combination until it finds the correct one. To prevent brute-force attacks, users should ensure that their passwords are strong and complex, with a mix of uppercase and lowercase letters, numbers, and special characters. Organizations should also implement policies that require regular password changes and limit the number of failed login attempts.

Additionally, the FBI advises any organization victimized by this attack to conduct the following remediation steps:

  1. Perform a hardware factory reset to flush the file systems of malicious files;
  2. Upgrade to the latest firmware version;
  3. Change any default usernames and passwords; and
  4. Implement strategic firewall rules to prevent the unwanted exposure of remote management services.

Let Trustwave Help

Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave, with our Managed Detection and Response (MDR) solution, may provide the answer. 

Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers. 

Finally, stopping phishing at the source is the best policy, and this can be accomplished with an email security solution like Trustwave MailMarshal.

Latest Trustwave Blogs

Lessons to be Learned: Attacks on Higher Education Proliferate

Trustwave SpiderLabs is wrapping up a multi-month investigation into the threats facing the education sector, across higher education, primary and secondary schools. Trustwave will post the 2024...

Read More

Understanding Why Supply Chain Security is Often Unheeded

Many organizations downplay the critical aspect of whether their cybersecurity provider has the ability to properly vet a third-party vendor's cybersecurity posture.

Read More

CRN Recognizes Trustwave as 2024 Top 100 Security MSP

For the fifth consecutive year, the leading channel publication CRN named Trustwave to its 2024 Managed Service Provider (MSP) 500 list in its Security 100 category.

Read More


文章来源: https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/doj-disrupts-russian-botnet-created-using-unchanged-admin-credentials/
如有侵权请联系:admin#unsafe.sh