Hackers Backed By Russia and China Are Infecting SOHO Routers Like Yours, FBI Warns (arstechnica.com) 36
An anonymous reader quotes a report from Ars Technica: The FBI and partners from 10 other countries are urging owners of Ubiquiti EdgeRouters to check their gear for signs they've been hacked and are being used to conceal ongoing malicious operations by Russian state hackers. The Ubiquiti EdgeRouters make an ideal hideout for hackers. The inexpensive gear, used in homes and small offices, runs a version of Linux that can host malware that surreptitiously runs behind the scenes. The hackers then use the routers to conduct their malicious activities. Rather than using infrastructure and IP addresses that are known to be hostile, the connections come from benign-appearing devices hosted by addresses with trustworthy reputations, allowing them to receive a green light from security defenses.
"In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns," FBI officials wrote in an advisory Tuesday. APT28 -- one of the names used to track a group backed by the Russian General Staff Main Intelligence Directorate known as GRU -- has been doing just for at least the past four years, the FBI has alleged. Earlier this month, the FBI revealed that it had quietly removed Russian malware from routers in US homes and businesses. The operation, which received prior court authorization, went on to add firewall rules that would prevent APT28 -- also tracked under names including Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit -- from being able to regain control of the devices.
On Tuesday, FBI officials noted that the operation only removed the malware used by APT28 and temporarily blocked the group using its infrastructure from reinfecting them. The move did nothing to patch any vulnerabilities in the routers or to remove weak or default credentials hackers could exploit to once again use the devices to surreptitiously host their malware. "The US Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers," they warned. "However, owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises."
Those actions include:
- Perform a hardware factory reset to remove all malicious files
- Upgrade to the latest firmware version
- Change any default usernames and passwords
- Implement firewall rules to restrict outside access to remote management services
"In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns," FBI officials wrote in an advisory Tuesday. APT28 -- one of the names used to track a group backed by the Russian General Staff Main Intelligence Directorate known as GRU -- has been doing just for at least the past four years, the FBI has alleged. Earlier this month, the FBI revealed that it had quietly removed Russian malware from routers in US homes and businesses. The operation, which received prior court authorization, went on to add firewall rules that would prevent APT28 -- also tracked under names including Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit -- from being able to regain control of the devices.
On Tuesday, FBI officials noted that the operation only removed the malware used by APT28 and temporarily blocked the group using its infrastructure from reinfecting them. The move did nothing to patch any vulnerabilities in the routers or to remove weak or default credentials hackers could exploit to once again use the devices to surreptitiously host their malware. "The US Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers," they warned. "However, owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises."
Those actions include:
- Perform a hardware factory reset to remove all malicious files
- Upgrade to the latest firmware version
- Change any default usernames and passwords
- Implement firewall rules to restrict outside access to remote management services
FBI to Russia: "Stop it." (Score:5, Funny)
Re: (Score:2, Insightful)
whataboutism
Re: (Score:1)
Re: (Score:2)
Wow, zionist trolls are hands-dowm the saddest ones I've ever seen on here. Not even remotely believable. Whose money are you taking?
Re:FBI to Russia: "Stop it." (Score:4)
They're mad because Russia deleted their backdoor.
Probably ought to be a regulatory framework (Score:5, Interesting)
Much like how electronic devices have to be licensed by the FCC, anything internet connected should also see similar regulations in order to be sold in the US. Things like not having default passwords, meeting crypto standards, etc. And of course, device classification for things like these that have their own rules, like by default prevent the possibility of gaining admin access from the WAN facing interface.
If they're exploited in some way like e.g. a manufacturer (say intel) sold a CPU with a meltdown style vulnerability, they won't be penalized for that UNLESS they didn't follow any of the other rules, leading to an exploit, then it's on them to remediate it, be that through recalls or whathaveyou. And of course, add a fine on top of it if say they used a weak crypto implementation or some other negligence.
Re: (Score:2)
100% agreed. Either an industry group needs to start scanning and labeling devices like how UL does this for electronics, or the FTC needs to do it, or resellers like Amazon need to. Right now there is no transparency, accountability, or reportability.
Re: (Score:2)
I agree that it would be helpful to have a industry group (not government) set basic best practices, like listed prior.
And in this case, it turns out to be the old problem with default passwords, yet again:
"The Russian hackers gained control of devices after they were already infected with Moobot, which is botnet malware used by financially motivated threat actors not affiliated with the GRU. These threat actors installed Moobot after first exploiting publicly known default administrator credentials that ha
Re: (Score:2)
1) Mandated government backdoors for ensuring compliance with Child Protection Laws. (And copyright enforcement, law enforcement, etc....)
2) No Hacker OSes. (Mandatory US based company made OSes only.)
3) Mandatory Remote Kill Switches, for stopping rouge AIs. (And copyright enforcement, law enforcement, etc.....)
Re: (Score:2)
Mandatory Remote Kill Switches, for stopping rouge AIs.
And in southern states for stopping rainbow AIs, because that's a far bigger threat than Russia, which actually shares a lot of their conservative values, is.
Re: (Score:2)
First up on the (future) regulations list: 1) Mandated government backdoors for ensuring compliance with Child Protection Laws. (And copyright enforcement, law enforcement, etc....) 2) No Hacker OSes. (Mandatory US based company made OSes only.) 3) Mandatory Remote Kill Switches, for stopping rouge AIs. (And copyright enforcement, law enforcement, etc.....)
Cue the civil unrest in response to any gub'mint proposal like that in 3..2..1
Re: (Score:1)
Just wait a year or two, some dumbass judge in Texas will decide the FCC's regulations are a burden on business and disallow them. It will get appealed to the 5th Circuit Federal Appeals Court who always bend over for any right wingnut cause wrapped in their warped view that the "Deep State" is out to get them. That will get appealed to the Supreme Court where Allito and Thomas will lead their right wingnut fellow travelers in declaring the FCC has overstepped its mandate and are poised to decimate the sain
General Public Too Stupid (Score:2)
To know or understand what any of that means. Hack on.
Re: (Score:2)
Indeed.
MEanwhile (Score:2)
Re:MEanwhile (Score:5, Insightful)
>"People won't follow all the directions, they'll do the factory reset, and expose more default passwords to the internet."
A properly designed router/firewall will NOT ALLOW INSTALLATION without FORCING the user to change the root/admin password to something not the default, FIRST. It should have been designed that way from the start, and most of this stuff would not have happened.
This is an old problem that I thought had been mostly fixed by now.
Re: (Score:2)
This is a very old problem, but since makers of such devices are still free to use people with zero understanding of IT security to write the software, and there is no liability even for grossly screwing up, this is in no way a fixed problem. If we had laws that, say, would make manufacturers liable for any hackable device where that was made possible by gross negligence like default passwords or no enforced password change on installation with, say, $1000 compensation plus price of the device for each cust
Re: (Score:2)
If it's real, tariff their shit (Score:2)
If there's clear evidence of the Chinese gov't being involved, then we should sanction China. (We can't Sanction Russia much, they are already sanctioned up the wazoo.)
Re: (Score:2)
And every time we do they counter with sanctions against American companies (micron, etc). Its a race to the bottom. We rely on them more than they rely on USA.
Need to Incentivize moving production out of china, THEN sanction.
Re: (Score:1)
> We rely on them more than they rely on USA.
I dispute that, it's probably more even. They are dependent on sales revenue from American consumers. If US stopped consuming their goods, it would likely trigger a nasty recession in China. Survivable maybe, but not pleasant. It could trigger riots that would oust Xi.
Sadly, there is little consumers can do (Score:2)
How can an end-user protect themselves from stuff like this other than changing passwords and turning off the management interfaces? AFAIK they can't do much else. They can't scan their router to see if it is infected. Hopefully the devices self-update in a secure way, but I know in the past many of them didn't. Desktop antivirus tools won't scan remote devices so even if the device has a vulnerability, there isn't anything to tell the end-user.
Re: Sadly, there is little consumers can do (Score:2)
changing passwords and turning off the management interfaces
In this case that is exactly how they could protect themselves.
Re: Sadly, there is little consumers can do (Score:4, Informative)
Well you can't turn off the management interface entirely, only (in some cases) restrict it to LAN access.
Even this isn't enough in some cases, as devices typically use predictable or default legacy IPv4 addresses and are vulnerable to XSRF attacks.
And that's just for attacks using default creds. There are also direct vulnerabilities in some of these devices which can be exploited.
There are lots of vendors churning out cheap garbage, often based on the same physical chipsets but with their own hacked together firmware (usually for the purpose of branding). Typically once deployed they never provide any firmware updates at all, and these devices might run for 10+ years unless the user chooses to replace them. Functionality also tends to be poor and/or buggy.
They would be much better off just shipping the cheap generic hardware with OpenWRT, at least then they could be easily updated if a problem is found, and the OpenWRT developers are a lot more vigilant than whoever kludges together these noname brand firmwares.
The router supplied by the ISP here is especially bad. They ALWAYS use a legacy IP of "192.168.1.1" unless you reconfigure it (which noone does). They also have what can only be described as a backdoor whereby merely accessing http://192.168.1.1/command?COM... [192.168.1.1] will result in "COMMANDHERE" being executed on the underlying linux system with root privileges.
All i have to do is create a simple html page with an image tag that points to the command url with commands of my choosing, and anyone using the same router who visits the page will cause the commands to be executed on their router.
And that's just the tip of the iceberg, pulling off the firmware and combing through it shows all kinds of other bugs.
Re: (Score:2)
Perform a hardware factory reset (Score:2)
No computer, router, phone, etc. sold today is designed to have that feature. This should change.
Re: (Score:2)
Baked in immutable base firmware capable of resetting hardware , firmware and software to guarantee a known good state is the only way. And its never going to happen.
Likely most not going to get patched... (Score:2)
Most families I suspect don't know enough to do it or think of routers as set and forget (If they get it to work, then job accomplished). I bet if you took a poll of all households 1 mile around me in an urban area, A less than a few percent are checking their routers at all to make sure they are up-to-date and a lot of them likely don't remember how to since setting them up years ago. To be fair though... I would think most homes are using ISP provided routers which typically are updated by the ISP. IS
For more info... (Score:2)
https://www.ic3.gov/Media/News... [ic3.gov]
Checked my router and everything looks fine, but a few of their tricks are pretty sneaky. I would love to find some firewall rules for blocking LAN traffic to the router while not impacting functionality; I could play with it but really don't have the energy right now.