U.S. authorities disrupt ‘MooBot’ botnet used by Russian military hackers

The U.S. federal government announced today that it has conducted a court-authorized operation, dubbed ‘Dying Ember’, to disrupt the ‘MooBot’ botnet leveraged by hackers belonging to Russia’s Main Intelligence Directorate (GRU), known as APT 28, to support its malicious cyber activities.

The botnet consisted of hundreds of Ubiquiti small office / home office (SOHO) routers originally compromised by non-GRU cyber criminals using default credentials to install the MooBot malware that enabled persistent remote access to the device. It’s alleged that Apt 28 was able to identify and access the compromised routers and use the MooBot malware to install its own scripts and platforms to customize the botnet for its own purposes.

The botnet allowed APT 28 actors to mask their true location and harvest credentials and hashes, as well as host spear-phishing landing pages and other custom tooling for brute-forcing passwords, stealing router user passwords, and spreading the MooBot malware to other appliances.

To disrupt the botnet U.S. authorities sent a series of unspecified commands that first copied the stolen data and malicious files contained on the compromised bots prior to deleting them and modifying firewall rules to block APT 28 from accessing the routers again.

Source: The Hacker News

Analysis

According to the Shadowserver Foundation there is approximately 8,000 Ubiquiti edge routers deployed in the U.S. It’s unknown, however, how many of these routers are compromised by MooBot.

Image 1: Map of Ubiquiti edge routers deployed worldwide (Source: Shadowserver Foundation)

Operation Dying Ember comes shortly after U.S. authorities dismantled another botnet, called KV-botnet, used by Chinese state-sponsored hackers to target U.S. critical infrastructure facilities. Both these takedown efforts reflect how serious the U.S. takes Russian and Chinese cyber activities and that the U.S. won’t hesitate to take actions required to mitigate this risk posed by this threat.

Now that two major botnets have been neutralized, it’s likely that Chinese and Russian cyber actors will attempt to rebuild them using other types of vulnerable infrastructure, or revert to covertly leasing infrastructure from less reputable hosting providers to facilitate their malicious cyber activities.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances and operating systems. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.

Field Effect strongly encourages users to enable automatic updates for SOHO devices to ensure they have the latest security patches. Additionally, users are reminded to make sure these devices are configured properly (e.g., restricting external access to management interfaces and disabling unnecessary services) and maintain strong password hygiene.    

Related articles

• Volt Typhoon’s KV-botnet dismantled by US authorities
• U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure