Hackers everywhere are fighting for control of home and office routers

Rows of 1950s-style robots operate computer workstations.

Cybercriminals and spies working for nation-states coexist secretly in compromised routers of well-known brands while using the devices to disguise attacks aimed at both financial gain and strategic espionage, researchers say.

In some cases, coexistence is peaceful as financially motivated hackers give spies access to already compromised routers for a fee, researchers at security firm Trend Micro reported Wednesday. In other cases, hackers working in state-backed advanced persistent threat groups take control of devices previously hacked by cybercrime groups. Sometimes the devices are compromised multiple times independently by different groups. The result is free internal routers and, to a lesser extent, VPN devices and virtual private servers provided by hosting companies.

“Cybercriminals and advanced persistent threat (APT) actors have a common interest in proxy anonymization layers and virtual private network (VPN) nodes to hide traces of their presence and make malicious activity more difficult to detect,” according to Trend Micro researchers Feike Hacquebord and Fernando Merces wrote. “This common interest leads to malicious internet traffic that combines financial and espionage motives.”

Pawn Storm, a spammer and proxy service

A good example is a network that consists primarily of EdgeRouter devices from Ubiquiti. After the FBI found out it was infected by a Kremlin-backed group It was used as a botnet to camouflage ongoing attacks against governments, militaries and other organizations around the world and began an operation in January to temporarily disinfect them.

The Russian hackers gained control after the devices were already infected with Moobot Botnet malware Used by financially motivated threat actors not affiliated with the Russian government. These threat actors installed Moobot after initially exploiting publicly known default administrator credentials that had not been removed by the device owners. The Russian hackers – known by various names including Pawn Storm, APT28, Forest Blizzard, Sofacy and Sednit – then exploited a vulnerability in the Moobot malware and used it to install custom scripts and malware that turned the botnet into a global cyber espionage platform.

Trend Micro researchers said Pawn Storm used the hijacked botnet as a proxy for (1) logins that used stolen account credentials and (2) attacks that exploited a critical point Zero-day vulnerability in Microsoft Exchange, which has not been resolved until March 2023. The zero-day exploits allowed Pawn Storm to obtain the cryptographic hash of users’ Outlook passwords simply by sending them a specially formatted email. Once Pawn Storm was in possession of the hash, he ran a so-called NTLMv2 hash relay attack This caused logins to the user accounts to be redirected through one of the botnet devices. Microsoft provided a diagram of the attack shown below:


Trend Micro observed that the same botnet was being used to send pharmaceutical-themed spam bearing the trademarks of the so-called Canadian Pharmacy Gang. Another group installed malware called Ngioweb on botnet devices. Ngioweb was found first in 2019 runs on routers from DLink, Netgear and other manufacturers as well as other devices running Linux on x86, ARM and MIPS hardware. Ngioweb’s purpose is to provide proxies that allow individuals to route their online activity through a range of regularly changing IP addresses, particularly those in the United States that are known for their trustworthiness. It is not exactly clear who uses the service operated by Ngioweb.

Trend Micro researchers wrote:

In the specific case of the compromised Ubiquiti EdgeRouters, we observed that a botnet operator had been installing backdoored SSH servers and a series of scripts on the compromised devices for years without much attention from the security industry to enable persistent access. Another threat actor installed the memory-only Ngioweb malware to add the bots to a commercially available consumer proxy botnet. Pawn Storm most likely easily backdoored SSH server credentials, gaining access to a pool of EdgeRouter devices that they could abuse for various purposes.

The researchers provided the following table summarizing the botnet sharing agreement between Pawn Storm and the other two groups, Water Zmeu and Water Barghest:

Trend Micro

It is unclear whether any of the groups were responsible for installing the aforementioned Moobot malware that the FBI reportedly found on the devices. If not, that would mean that routers were infected independently by three financially motivated groups in addition to Pawn Storm, further underscoring the ongoing push by multiple threat groups to set up secret listening posts in routers. Trend Micro researchers were not available for clarification.

The post further reported that while the FBI’s January operation affected the infrastructure on which Pawn Storm relied, legal restrictions prevented the operation from preventing reinfection. In addition, the botnet also included virtual public servers and Raspberry Pi devices that were not affected by the FBI action.

“This means that despite law enforcement efforts, Pawn Storm still has access to many other compromised assets, including EdgeServer,” Trend Micro’s report said. “For example, IP address 32[.]143[.]50[.]222 was used as an SMB reflector around February 8, 2024. The same IP address was used as a proxy in a credential phishing attack against various government officials around the world on February 6, 2024.”

Source link