Two weeks following the dismantling of a botnet comprised of Ubiquiti routers utilized by a Russian advanced persistent threat (APT) actor for global cyberespionage operations, the US government is urging organizations and consumers to cleanse their devices to support the disruption endeavor. Hundreds of Ubiquiti EdgeRouters were compromised by cybercriminals using ‘Moobot’ malware, subsequently commandeered by APT28, also known as Fancy Bear, associated with Russia’s Main Intelligence Directorate of the General Staff (GRU). Since 2022, APT28 has covertly operated these routers, targeting various industries across Europe, the Middle East, and the US. Exploiting default credentials and trojanized OpenSSH server processes via Moobot, APT28 gained root access to the routers, enabling data collection, network traffic proxying, and hosting of malicious landing pages. Notably, compromised routers were utilized as command-and-control infrastructure for the MasePie Python backdoor. The advisory provides mitigation measures, including device resetting, firmware updates, credential changes, and firewall rule implementation, along with indicators of compromise (IoCs) for detection and remediation efforts.

