Fancy Bear sniffs out Ubiquiti router users

The American authorities have warned users of Ubiquiti’s EdgeRouter products that they may be at risk of being targeted by the Russian state threat actor Fancy Bear, also known as APT28 and Forest Blizzard/Strontium.

In a coordinated advisory, to which partner agencies including the UK’s National Cyber Security Centre (NCSC) and counterparts in Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland and South Korea also put their signatures, the FBI, National Security Agency (NSA) and US Cyber Command urged users of the affected products to be on their guard.

“Fancy Bear, and Forest Blizzard (Strontium), have used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear phishing landing pages and custom tools,” read the advisory.

Users of EdgeRouters have been told to perform a factory reset, upgrade to the latest firmware version, change default usernames and credentials, and implement strategic firewall rules on WAN-side interfaces.

Ubiquiti EdgeRouters have become popular among users and threat actors alike thanks to a user-friendly, Linux-based operating system. Unfortunately, they also contain two highly dangerous flaws – the devices often ship with default credentials and have limited firewall protections, and they do not automatically update their firmware unless the user has configured them to do so.

Fancy Bear is using compromised routers to harvest victim credentials, collect digests, proxy network traffic and host spear phishing landing pages and other custom tools. Targets of the operation include academic and research institutions, embassies, defence contractors and political parties, located in multiple countries of interest to Russian intelligence, including Ukraine.

“No part of a system is immune to threats,” said NSA cyber security director Rob Joyce. “As we have seen, adversaries have exploited vulnerabilities in servers, in software, in devices that connect to systems, in user credentials, in any number of ways. Now, we see Russian state-sponsored cyber actors abusing compromised routers and we are joining this CSA to provide mitigation recommendations.”

Dan Black, manager of Mandiant Cyber Espionage Analysis, which contributed to the research from which the advisory was compiled, said: “Mandiant, in collaboration with our partners, have tracked APT28 using compromised routers to conduct espionage globally over the past two years. These devices have been central to the group’s efforts to steal credentials and deliver malware to governments and critical infrastructure operators in a range of different sectors.

“APT28’s activity is characteristic of a wider pattern from Russian and PRC threat actors who are exploiting network devices to enable their future operations. They use them to proxy traffic to and from targeted networks while staying under the radar.”

The FBI/NSA announcement comes barely a fortnight after the US Department of Justice (DoJ) orchestrated a mass takedown of a botnet comprising Ubiquiti EdgeRouters on which the default passwords had never been changed, enabling Fancy Bear to use a malware called Moobot to install bespoke scripts and files and flip the vulnerable routers to assets in its cyber espionage campaigns.

If further evidence was needed of the risk to edge networking devices from such tactics, a similar operation in January 2024 saw the coordinated takedown of a botnet created by the China-backed Volt Typhoon threat actor, which saw hundreds of Cisco and Netgear branded small and home office routers infected with a malware known as KV Botnet. In this way, China was able to conceal the fact that it was the source of hacks perpetrated against operators of critical national infrastructure in the US and elsewhere.