Threat Actors Love Ubiquiti. A Match Made in Cyber Heaven

Threat ‎Actor's‏ ‎operations ‎have ‎targeted ‎various ‎industries,‏ ‎including ‎Aerospace‏ ‎&‏ ‎Defense, ‎Education, ‎Energy‏ ‎& ‎Utilities,‏ ‎Governments, ‎Hospitality, ‎Manufacturing, ‎Oil‏ ‎&‏ ‎Gas, ‎Retail,‏ ‎Technology, ‎and‏ ‎Transportation. ‎The ‎targeted ‎countries ‎include‏ ‎the‏ ‎Czech ‎Republic,‏ ‎Italy, ‎Lithuania,‏ ‎Jordan, ‎Montenegro, ‎Poland, ‎Slovakia, ‎Turkey,‏ ‎Ukraine,‏ ‎United‏ ‎Arab ‎Emirates,‏ ‎and ‎the‏ ‎US, ‎with‏ ‎a‏ ‎strategic ‎focus‏ ‎on ‎individuals ‎in ‎Ukraine.

Potential ‎consequences‏ ‎and ‎impacts‏ ‎on‏ ‎these ‎affected ‎industries‏ ‎include:

📌 Data ‎breaches‏ ‎and ‎theft ‎of ‎sensitive‏ ‎information,‏ ‎intellectual ‎property,‏ ‎or ‎trade‏ ‎secrets.

📌 Disruption ‎of ‎critical ‎infrastructure ‎operations,‏ ‎such‏ ‎as ‎power‏ ‎grids, ‎transportation‏ ‎systems, ‎or ‎manufacturing ‎processes.

📌 Compromise ‎of‏ ‎government‏ ‎networks‏ ‎and ‎systems,‏ ‎potentially ‎leading‏ ‎to ‎espionage‏ ‎or‏ ‎national ‎security‏ ‎threats.

📌 Financial ‎losses ‎due ‎to ‎operational‏ ‎disruptions, ‎theft‏ ‎of‏ ‎customer ‎data, ‎or‏ ‎reputational ‎damage.

📌 Potential‏ ‎safety ‎risks ‎if ‎control‏ ‎systems‏ ‎or ‎operational‏ ‎technology ‎(OT)‏ ‎networks ‎are ‎compromised.

📌 Loss ‎of ‎customer‏ ‎trust‏ ‎and ‎confidence‏ ‎in ‎the‏ ‎affected ‎organizations.

MITRE ‎ATT&CK ‎TTPs

Resource ‎Development:

T1587‏ ‎(Develop‏ ‎Capabilities): APT28‏ ‎authored ‎custom‏ ‎Python ‎scripts‏ ‎to ‎collect‏ ‎webmail‏ ‎account ‎credentials.

T1588‏ ‎(Obtain ‎Capabilities): ‎APT28 ‎accessed ‎EdgeRouters‏ ‎compromised ‎by‏ ‎the‏ ‎Moobot ‎botnet, ‎which‏ ‎installs ‎OpenSSH‏ ‎trojans.

Initial ‎Access:

T1584 ‎(Compromise ‎Infrastructure): APT28‏ ‎accessed‏ ‎EdgeRouters ‎previously‏ ‎compromised ‎by‏ ‎an ‎OpenSSH ‎trojan.

📌 T1566 ‎(Phishing): ‎APT28‏ ‎conducted‏ ‎cross-site ‎scripting‏ ‎and ‎browser-in-the-browser‏ ‎spear-phishing ‎campaigns.

Execution:

T1203 ‎(Exploitation ‎for ‎Client‏ ‎Execution):‏ ‎APT28‏ ‎exploited ‎the‏ ‎CVE-2023-23397 ‎vulnerability.

Persistence:

📌 T1546‏ ‎(Event ‎Triggered‏ ‎Execution):‏ ‎The ‎compromised‏ ‎routers ‎housed ‎Bash ‎scripts ‎and‏ ‎ELF ‎binaries‏ ‎designed‏ ‎to ‎backdoor ‎OpenSSH‏ ‎daemons ‎and‏ ‎related ‎services.

Credential ‎Access:

📌 T1557 ‎(Adversary-in-the-Middle):‏ ‎APT28‏ ‎installed ‎tools‏ ‎like ‎Impacket‏ ‎http://ntlmrelayx.py and ‎Responder ‎on ‎compromised ‎routers‏ ‎to‏ ‎execute ‎NTLM‏ ‎relay ‎attacks.

📌 T1556‏ ‎(Modify ‎Authentication ‎Process): ‎APT28 ‎hosted‏ ‎NTLMv2‏ ‎rogue‏ ‎authentication ‎servers‏ ‎to ‎modify‏ ‎the ‎authentication‏ ‎process‏ ‎using ‎stolen‏ ‎credentials ‎from ‎NTLM ‎relay ‎attacks.

Collection:

📌 T1119‏ ‎(Automated ‎Collection): APT28‏ ‎utilized‏ ‎CVE-2023-23397 ‎to ‎automate‏ ‎the ‎collection‏ ‎of ‎NTLMv2 ‎hashes.

Exfiltration:

📌 T1020 ‎(Automated‏ ‎Exfiltration): APT28‏ ‎utilized ‎CVE-2023-23397‏ ‎to ‎automate‏ ‎the ‎exfiltration ‎of ‎data ‎to‏ ‎actor-controlled‏ ‎infrastructure.