Joint Cybersecurity Advisory - Russian Threat Actors Using Compromised Routers For Cyber Operations
The Joint Cybersecurity Advisory issued on February 27 2024 highlights the use of compromised Ubiquiti EdgeRouters by Russian state-sponsored cyber actors specifically the GRU unit APT28 (aka Fancy Bear Forest Blizzard) to conduct malicious cyber operations globally. These operations include harvesting credentials collecting NTLMv2 digests proxying network traffic and hosting spear-phishing landing pages as well as custom tools. While efforts have been made to disrupt these activities owners of impacted devices are being advised to take actions to remediate the threat including performing a hardware factory reset upgrading firmware changing default credentials and implementing strategic firewall rules.