Russian hackers are exploiting edge routers to launch major new cyberattacks

Routers with default login settings are sitting ducks

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers with ties to the Russian government are exploiting vulnerabilities in popular edgeroutersto launch dangerous new attacks.

Ajoint security advisorypublished by the FBI, NSA, the US Cyber Command, and national law enforcement agencies from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom.

As per the advisory, the infamous Russian threat actor known as APT28 (AKA Fancy Bear, ForestBlizzard, Strontium) has been using compromised EdgeRouters globally in a campaign of credential harvesting, proxy network traffic, and spear-phishing attacks.

Default login credentials

APT28, which the security firms claim is under the command of the Russian General Staff Main Intelligence Directorate (GRU), has been using the vulnerabilities since 2022 to target governments, militaries, and organizations around the world. The industries they targeted the most include Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation.

The victims were spread out across the western world, in countries such as the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US. Many individuals in Ukraine were “strategically targeted”, the advisory further states.

The problem with EdgeRouters is that, in many cases, the victims never change the default login credentials, allowing the hackers easy access to the admin panel. Once inside, they proceed to install Moobot, abotnetthat drops OpenSSH trojans on compromised hardware. Each compromised router accessed by APT28 actors housed a “collection of Bash scripts and ELF binaries” designed to exploit backdoor OpenSSH daemons and related services for things such as credential harvesting, proxy network traffic, and more.

In early 2023, the FBI found APT28 building a custom Python script to steal login credentials for specifically targeted webmail users, as well as using a zero-day to harvest NTLMv2 digests from some Outlook accounts.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The U.S. Department of Justice and partners recently disrupted the APT28 botnet consisting of these routers, but without the end users addressing the flaws, the job is not done. As per the DoJ’s instructions, they should factory reset the device, upgrade to the latest firmware version, change the login credentials, and implement strategic firewall rules on WAN-side interfaces.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case