Cybercriminals and spies from nation-states are operating together within compromised routers, using these devices as a disguise for their attacks. This coexistence is both strategic espionage and financially motivated, highlighting the shared interest between cybercriminals and advanced persistent threat (APT) actors in using proxy anonymization layers and virtual private network (VPN) nodes to hide their activities.
One example of this coexistence is the network composed of EdgeRouter devices manufactured by Ubiquiti. After the devices were infected by a Kremlin-backed group known as Pawn Storm, the FBI took action to temporarily disinfect them. The Russian hackers gained control of the devices by exploiting a vulnerability in existing botnet malware, Moobot, that had been installed by financially motivated threat actors. Pawn Storm then used the botnet to launch global cyber espionage operations, including proxying logins that used stolen account credentials and exploiting a critical zero-day vulnerability in Microsoft Exchange.
The Trend Micro researchers observed that the same botnet was also being used by Pawn Storm to send spam with pharmaceutical themes, resembling the work of the Canadian Pharmacy gang. Another group installed Ngioweb malware on the botnet devices, allowing users to route their online activities through a series of changing IP addresses. It is unclear who uses this service, but it provides individuals with a way to anonymize their online actions.
The researchers noted that the compromised Ubiquiti EdgeRouters had been backdoored with SSH servers and scripts, providing persistent access for the operators of the botnet. Additionally, the Ngioweb malware was installed to add the bots to a commercially available residential proxy botnet. This suggests that Pawn Storm gained access to the pool of EdgeRouter devices by brute-forcing the credentials of the backdoored SSH servers.
The collaboration between Pawn Storm and the other groups resulted in a complex botnet-sharing arrangement. However, it is uncertain if any of these groups were responsible for the initial infection of the routers with Moobot malware. This raises concerns as it suggests that routers may have been independently infected by multiple financially motivated groups, highlighting the rush by various threat groups to establish secret listening posts inside routers.
While the FBI’s operation in January managed to disrupt the infrastructure used by Pawn Storm, legal limitations prevented the complete prevention of reinfection. The botnet also includes virtual public servers and Raspberry Pi devices that were unaffected by the FBI action. This means that Pawn Storm still has access to a range of compromised assets, including EdgeServers and IP addresses that were used in attacks against government officials.
In summary, this research highlights the coexistence of cybercriminals and nation-state spies within compromised routers. The shared interest in using these devices for proxy and anonymization purposes makes it difficult to detect malicious activities. The collaboration between these groups raises concerns about the extent of compromise and the ongoing threats posed by multiple threat actors. Efforts to disinfect and secure these devices must be a priority to ensure the protection of networks and sensitive information.
Source link