Cybersecurity and intelligence agencies from multiple countries have issued a joint advisory urging users of Ubiquiti EdgeRouter to take immediate protective measures in the wake of a botnet threat known as MooBot. The advisory comes weeks after law enforcement dismantled the botnet in an operation codenamed Dying Ember.
MooBot, attributed to a Russia-linked threat actor APT28, associated with Russia’s Main Directorate of the General Staff (GRU), has been utilized for covert cyber operations and distributing custom malware. According to authorities, compromised EdgeRouters were employed globally by APT28 since 2022 to harvest credentials, collect network traffic, and host spear-phishing landing pages and custom tools.
The attacks, spanning various sectors in multiple countries including the Czech Republic, Italy, the U.S., and others, involve targeting routers with default or weak credentials to deploy OpenSSH trojans. APT28 leverages this access to deliver malicious payloads, including Python scripts for collecting credentials from targeted webmail users via spear-phishing campaigns.
Additionally, APT28 has been linked to exploiting CVE-2023-23397, a critical privilege escalation flaw in Microsoft Outlook, and utilizing MASEPIE, a Python backdoor, as a command-and-control infrastructure on compromised Ubiquiti EdgeRouters.
To mitigate the threat, organizations are advised to perform hardware factory resets of the routers, upgrade to the latest firmware version, change default credentials, and implement firewall rules to safeguard against remote management service exposure.