Cybersecurity and law enforcement agencies are warning Ubiquiti EdgeRouter users to urgently upgrade security settings on the devices, a popular target for Russian nation-state hackers.
The router’s potential to be significantly abused by threat actors was highlighted earlier this month when the U.S. Justice Department and FBI revealed the takedown of a botnet comprising several hundred of the devices.
The botnet was used as a cyberespionage tool by a threat group run by Russian military intelligence, APT28 (also tracked a Fancy Bear, Sofacy and Forest Blizzard), to carry out “vast spearphishing and similar credential-harvesting campaigns.”
The FBI — together with the National Security Agency (NSA), U.S. Cyber Command, and more than a dozen international agencies — issued a Feb. 27 advisory (PDF) revealing more details of APT28’s activities targeting EdgeRouters, along with mitigations users could take to protect the devices from threat actors.
More than a reboot required for EdgeRouters
“Ubiquiti EdgeRouters have a user-friendly, Linux-based operating system that makes them popular for both consumers and malicious cyber actors,” the advisory said.
“EdgeRouters are often shipped with default credentials and limited to no firewall protections to accommodate wireless internet service providers (WISPs). Additionally, EdgeRouters do not automatically update firmware unless a consumer configures them to do so.”
By gaining root access to unhardened versions of the devices, APT28 got “unfettered access” to their Linux-based operating systems which it could use to install tooling and to obfuscate its identity while conducting malicious campaigns,” the agencies said.
Rebooting a compromised EdgeRouter would not remove malware that had been installed on the device, they warned. Users were urged to perform a hardware factory reset, upgrade to the latest firmware, change default usernames and passwords, and implement strategic firewall rules on WAN-side interfaces.
In the long term, network owners should only use routers and other equipment built with secure by design principles, which included not shipping devices with default passwords, the advisory said.
IoT devices need to address security problems
The widespread attacks and dangerous vulnerabilities outlined in the advisory highlighted the critical importance of securing EdgeRouters immediately using the steps the agencies had outlined, said Patrick Tiquet, Keeper Security’s vice president of security and architecture.
“These cybersecurity best practices should be applied to all routers and equipment,” he said.
John Gallagher, vice president of Viakoo Labs, said problems such as firmware being difficult to update, and security not being included as a fundamental of design, were common across a raft of internet of things (IoT) devices.
“Another issue is that the EdgeRouter itself provides a perfect position within the network for threat actors to either move laterally or to enable more advanced command and control functions for achieving their objectives,” he said.
John Bambenek, president at Bambenek Consulting, said manufacturers needed to treat the security vulnerabilities mentioned in the advisory as a serious problem.
“The single biggest advance in cybersecurity across the technical stack in 25 years was when Microsoft made auto-updating the default setting in Windows. Across the IoT, embedded devices, and network stack, this is not the norm,” he said. “We know devices aren’t patched by consumers or most organizations, so why wouldn’t nation-state actors get in on the target rich environment?”
