Apparently, the Ubiquiti EdgeRouters make a perfect hideout for Tsar Putin’s hackers. The cheap kit, used in homes and small offices, runs a version of Linux that can host malware that sneaks behind the scenes.
The hackers then use the routers to do their nasty stuff. Rather than using IP addresses known to be dodgy, the connections come from harmless-looking devices hosted by addresses with good reputations, letting them get the green light from security defences.
With root access to hijacked Ubiquiti EdgeRouters, APT28 actors have free access to Linux-based operating systems to install tools and to hide their identity while doing dodgy campaigns," FBI officials wrote.
One of the names used to track a group backed by the Russian General Staff Main Intelligence Directorate known as GRU -- has been doing so for at least four years, the FBI has claimed.
Earlier this month, the FBI revealed that it had quietly removed Russian malware from routers in US homes and businesses. The operation, which got court permission, added firewall rules that would stop APT28 -- tracked under names including Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit -- from being able to regain control of the devices.
FBI officials noted that the operation only removed the malware used by APT28 and temporarily blocked the group using its stuff from reinfecting them. The move did nothing to fix any holes in the routers or remove weak or default passwords hackers could use to use the devices again to host their malware secretly.
"The US Department of Justice, including the FBI, and international mates recently smashed a GRU botnet made of such routers. However, owners of relevant devices should take the actions described below to ensure the long-term success of the smashing effort and to find and fix any similar hacks," the untouchables wrote.
Those actions include:
- Do a hardware factory reset to get rid of all dodgy files
- Upgrade to the latest firmware version
- Change any default usernames and passwords
- Put in firewall rules to limit outside access to remote management services