Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Moscow Military Hackers Used Microsoft Outlook Vulnerability
APT28 Used Hacked Ubiquiti Routers for Hashed Password Relay AttacksA campaign by Russian military intelligence to convert Ubiquiti routers into a platform for a global cyberespionage operation began as early as 2022, U.S. and foreign intelligence agencies said.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The U.S. federal government earlier this month disrupted a botnet built from hundreds of Ubiquiti routers by a hacking unit of Russian military's Main Intelligence Directorate, known as the GRU. The Moscow threat actor, known as APT28, Fancy Bear and Forest Blizzard or Strontium, used infected routers located in the United States as proxies for hacking operations (see: US Disrupts Russian Military Intelligence Botnet).
In a Tuesday advisory published by the FBI, domestic and foreign intelligence agencies said the hackers behind the campaign had installed protocol poisoning tools on compromised routers to execute an NTLM relay attack. The attacks exploited a zero-day that Microsoft had patched in March 2023. The vulnerability, tracked as CVE-2023-23397, allowed hackers to trigger Windows into transmitting hashed passwords by sending a backdated Microsoft Outlook appointment request containing a parameter for the sound the email client should play when the appointment is overdue. But rather than playing a cheery sound effect, the parameter allowed hackers obtain the victim's login name and their password hash, which they reused.
Although Microsoft issued multiple fixes for the vulnerability, FBI investigators said Russian hackers have found unpatched systems to hack.
Russian hackers targeted a slew of industries including defense, oil and gas, technology, government and manufacturing across a host of countries including Ukraine, Poland, Lithuania, Turkey and the Czech Republic.
The FBI believes that APT28 hackers piggybacked on a criminal botnet dubbed Moobot that had already infected some Ubiquiti routers. The New York router manufacturer did not immediately return a request for comment.
Russian hackers' use of hacked routers is a characteristic of Kremlin hacking as well as Chinese state hacking, said Dan Black, a cyberespionage analyst at threat intelligence firm Mandiant. "They use them to proxy traffic to and from targeted networks while staying under the radar," he said.
The advisory warns that rebooting a compromised Ubiquiti router won't purge it of Russian malware. Rather, system administrators must perform a hard reset and should upgrade to the latest firmware.