U.S. Government Dismantles The Mootbot Botnet Controlled By Russia-Lined APT28
Urfa Sarmad
A court order was passed, allowing U.S. authorities to Mootbot Botnet, under the control of the Russia-linked cyberespionage group APT28. Russian state-sponsored hackers used the Botnet to carry out a wide range of attacks.
A press release published by the DoJ states:
“A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.”
“These crimes included vast spear phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type have been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.”
Palo Alto Unit 42 researchers first reported reports of the Mirai-based Mootbot botnets in February 2021. In November 2021, it started injecting a command injection flaw (CVE-2021-36260) into various Hikvision products’ web servers. Since September 2022, the Mootot botnet has been seen targeting vulnerable D-link routers.
In April 2023, FortiGuard Labs researchers noted hacking campaigns targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) to spread Shellbot and Mootbot malware.
In a redacted affidavit filed by the U.S. Federal Bureau of Investigation (FBI), they stated that Mootbot exploits vulnerabilities and publicly accessible Ubiquiti routers by using default credentials and implementing SSH malware that permits remote access to the device.
“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge O.S. routers that still used publicly known default administrator passwords,” The DoJ states. “GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.”
“In another identified campaign, APT28 actors designed a fake Yahoo! landing page to send credentials entered on the false page to a compromised Ubiquiti router to be collected by APT28 actors at their convenience,” the FBI reported.
The court order has allowed U.S. authorities to disrupt the Botnet in the U.S. and prevent further crimes through unspecified commands to copy the stolen data and malicious files before deleting them and modifying the Firewall’s rules to block APT28’s remote access to routers.
The court also allowed authorities to disconnect the routers from the Mootbot network, and users can revert the firewall rule changes through factory resets of the routers and access routers through the local network.
No comments were posted yet