Threat Actors Love Ubiquiti. A Match Made in Cyber Heaven
Threat Actor's operations have targeted various industries, including Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation. The targeted countries include the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US, with a strategic focus on individuals in Ukraine.
Potential consequences and impacts on these affected industries include:
📌 Data breaches and theft of sensitive information, intellectual property, or trade secrets.
📌 Disruption of critical infrastructure operations, such as power grids, transportation systems, or manufacturing processes.
📌 Compromise of government networks and systems, potentially leading to espionage or national security threats.
📌 Financial losses due to operational disruptions, theft of customer data, or reputational damage.
📌 Potential safety risks if control systems or operational technology (OT) networks are compromised.
📌 Loss of customer trust and confidence in the affected organizations.
MITRE ATT&CK TTPs
Resource Development:
T1587 (Develop Capabilities): APT28 authored custom Python scripts to collect webmail account credentials.
T1588 (Obtain Capabilities): APT28 accessed EdgeRouters compromised by the Moobot botnet, which installs OpenSSH trojans.
Initial Access:
T1584 (Compromise Infrastructure): APT28 accessed EdgeRouters previously compromised by an OpenSSH trojan.
📌 T1566 (Phishing): APT28 conducted cross-site scripting and browser-in-the-browser spear-phishing campaigns.
Execution:
T1203 (Exploitation for Client Execution): APT28 exploited the CVE-2023-23397 vulnerability.
Persistence:
📌 T1546 (Event Triggered Execution): The compromised routers housed Bash scripts and ELF binaries designed to backdoor OpenSSH daemons and related services.
Credential Access:
📌 T1557 (Adversary-in-the-Middle): APT28 installed tools like Impacket http://ntlmrelayx.py and Responder on compromised routers to execute NTLM relay attacks.
📌 T1556 (Modify Authentication Process): APT28 hosted NTLMv2 rogue authentication servers to modify the authentication process using stolen credentials from NTLM relay attacks.
Collection:
📌 T1119 (Automated Collection): APT28 utilized CVE-2023-23397 to automate the collection of NTLMv2 hashes.
Exfiltration:
📌 T1020 (Automated Exfiltration): APT28 utilized CVE-2023-23397 to automate the exfiltration of data to actor-controlled infrastructure.