Joint Cybersecurity Advisories: Routers Compromised By Russian Cyber Actors, Updated Advisory On ALPHV Blackcat
ALPHV Blackcat ransomware affiliates continue to victimize critical infrastructure entities, particularly in the healthcare sector.
Federal Bureau Of Investigation (FBI) Joint Advisory: The FBI and its partners have released a joint Cybersecurity Advisory warning of Russian state-sponsored cyber actors’ use of compromised Ubiquiti Edge Routers to facilitate malicious cyber operations worldwide.
ALPHV Blackcat ransomware affiliates also continue to victimize critical infrastructure entities, particularly in the healthcare sector.
Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations
FORT MEADE, Md. – The National Security Agency (NSA) has joined the Federal Bureau of Investigation (FBI) and other co-sealers to publish a Cybersecurity Advisory (CSA), “Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations,” outlining observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation recommendations for EdgeRouter users and other network defenders.
The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, also known as APT28, Fancy Bear, and Forest Blizzard, has used compromised Ubiquiti EdgeRouters to harvest credentials, collect digests, proxy network traffic, and host spearphishing landing pages and custom tools. Academic and research institutions, embassies, defense contractors, and political parties are among the victims.
“No part of a system is immune to threats,” said Rob Joyce, NSA’s Director of Cybersecurity.
“As we have seen, adversaries have exploited vulnerabilities in servers, in software, in devices that connect to systems, in user credentials, in any number of ways.
Now, we see Russian state-sponsored cyber actors abusing compromised routers and we are joining this CSA to provide mitigation recommendations.”
Ubiquiti EdgeRouters have a user-friendly, Linux-based operating system that makes them popular among both consumers and malicious cyber actors.
The devices often ship with default credentials and have limited firewall protections. Additionally, EdgeRouters will not automatically update their firmware unless configured by the consumer.
Recommended mitigations in the CSA include performing a hardware factory reset, upgrading to the latest firmware version, changing any default usernames and passwords, and implementing strategic firewall rules on WAN-side interfaces.