0
0
Cybercriminals and Spies Coexisting in Compromised Routers
According to Trend Micro researchers, cybercriminals and spies employed by nation-states are covertly operating within the same compromised popular brand routers. Their motivations range from financial gain to strategic espionage, resulting in a harmonious or conflicting presence within these devices. Research from the security firm revealed the intricate relationship between these groups in a report released recently.
Peaceful Coexistence and Strategic Alliances
Trend Micro’s Feike Hacquebord and Fernando Merces highlighted instances where financially driven hackers offer spies access to compromised routers for a fee. Conversely, nation-state-backed advanced persistent threat groups may take control of devices previously targeted by cybercrime factions. In some cases, a single device may be compromised multiple times by various entities, creating a chaotic environment within routers, VPN devices, and virtual private servers provided by hosting companies.
The Ubiquiti EdgeRouter Network
For example, an extensive network primarily consisting of EdgeRouter devices from Ubiquiti became a focal point of the research. After discovering that a Kremlin-linked group had infected these devices, the FBI intervened to address the situation. The Russian hackers exploited existing infections caused by Moobot, a botnet malware utilized by financially motivated threat actors unaffiliated with the government. By leveraging vulnerabilities in the existing malware, the hackers transformed the botnet into a global cyber espionage platform.
The botnet was used by Pawn Storm to facilitate various activities such as proxying logins using stolen account information and exploiting a critical zero-day vulnerability in Microsoft Exchange. This vulnerability allowed hackers to obtain user password hashes by sending specially crafted emails. Subsequently, a NTLMv2 hash relay attack was implemented to compromise user accounts through the botnet devices.
Trend Micro researchers observed Spam operations and the presence of the “Canadian Pharmacy” gang within the botnet network. Additionally, the malware Ngioweb, known for running on various routers and IoT devices, was also detected in the compromised devices.
Botnet Sharing Among Threat Groups
A table provided by researchers outlined the shared botnet among Pawn Storm and two other groups known as Water Zmeu and Water Barghest. It was revealed that Pawn Storm easily gained access to the compromised devices by brute-forcing credentials on backdoored SSH servers, establishing a pool of devices for their purposes.
Despite the FBI’s efforts to mitigate the infrastructure used by Pawn Storm, legal limitations hindered complete eradication of the threat. The botnet, which included virtual public servers and Raspberry Pi devices, remained active following the operation. The report suggested that multiple compromised assets, including Edgerservers, were still accessible to Pawn Storm.
The ongoing battle to maintain control over compromised assets demonstrates the complexity of cyber espionage and cybercrime in modern network environments. As threat actors continue to exploit vulnerabilities and share resources, the cybersecurity landscape remains a challenging domain for security professionals.
Image/Photo credit: source url
