Posted on 02/16/2024 3:42:02 PM PST by nickcarraway
Beijing, now Moscow.… Who else is hiding in broadband gateways?
The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets.
This latest court-authorized takedown happened in January, and involved neutralizing "well over a thousand" home and small business routers that had been infected with the Moobot malware, which is a Mirai variant, according to FBI Director Christopher Wray, speaking at the Munich Cyber Security Conference on Thursday. Moobot can be used to remote-control compromised devices and launch attacks against networks.
Non-GRU cybercriminals installed Moobot on Ubiquiti Edge OS routers using publicly known default administrator passwords, we're told. Then the GRU spying team (tracked as APT 28, Forest Blizzard, and Fancy Bear among other names) used Moobot to install their own bespoke scripts and files that repurposed the botnet, thus "turning it into a global cyber espionage platform," according to the Feds.
Russian intelligence services turned to criminal groups to help them target home and office routers "Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme," opined Attorney General Merrick Garland. "We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies."
The botnet targeted organizations that are of interest to the Russian government, including US and foreign governments and military, security, and corporate organizations. In December Microsoft said the Fancy Bear crew had been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets such as government, defense, and aerospace agencies in the US and Europe, though didn't say if a botnet was used in the attacks.
And earlier this week it emerged Kremlin agents had been caught misusing OpenAI's models to generate phishing emails and malicious software scripts.
Takedown
According to American prosecutors, the Feds were able to instruct the Moobot botnet to copy and delete malicious files – including the malware itself – and any stolen data on the compromised routers, likely similar to what the DOJ did with the recent Volt Typhoon KV botnet takedown.
The FBI said [PDF] the dismantling of the Moobot network also involved modifying the routers' firewall rules to block remote management access to the devices, preventing them from being further hijacked, and "enabled temporary collection of non-content routing information that would expose GRU attempts to thwart" the operation.
That is to say, Uncle Sam was able to prevent Russia's use of the botnet by firewalling off remote management access, scrubbed the malware from the routers, and also inspected the Kremlin's handiwork on the infect equipment. All this was carried out with the consent of the owners of infected equipment, we're told.
Plus, the Feds said, users can rollback Uncle Sam's firewall rule changes via factory resets, or the routers' web-based user interface, though bear in mind a reset potentially leaves devices open to hijacking again if one doesn't change the admin password from the default.
"A factory reset that is not also accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises," the Justice Department warned.
FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet Fancy Bear goes phishing in US, European high-value networks OpenAI shuts down China, Russia, Iran, N Korea accounts caught doing naughty things China's Volt Typhoon spies broke into emergency network of 'large' US city This is the second time in as many months that the Feds claim to have upended a state-sponsored botnet. The first, announced in January, belonged to China's Volt Typhoon, which had abused hundreds of outdated Cisco and Netgear boxes to break into energy facilities, emergency networks and other US critical infrastructure orgs.
However, as Google's Mandiant Intelligence chief analyst John Hultquist told The Register, it's likely the Kremlin-backed crew "will be back with a new scheme soon."
"As elections loom, it's never been a better time to add friction to GRU operations," he said.
Fancy Bear is believed to have been behind intrusions into the US Democratic Party's computers during the 2016 US presidential race, and they have continued to try to disrupt elections ever since.
"The hack and leak operations they have carried out may be the most effective cyberattack on elections we've witnessed, and we have no reason to believe they won't replay this tactic again," Hultquist said. ®
routers - > "using publicly known
default administrator passwords"
So how many sensitive data locations leave the default router password in place? What is it, admin admin?
Is our US hacker botnet still up and working?
SkyNet is here. And Arnold is still living. What else pray tell is in play ?
“FBI confirms it issued remote kill command to blow out Volt Typhoon’s botnet “
So what are the technical details? Did the FBI remotely shut down the 1,000 routers without permission or a warrant to do so? Did the FBI do a remote and unauthorized reset of the routers? Did the FBI download a firmware update to the routers? Did they contact owner? Did they contact Ubiquiti?
There’s a lot untold here.
No admin and password
exactly
You gave it away!! I’m vulnerable now that you’ve exposed me.
My router is no longer working. Weird.
100% false...this is letter agency gaslighting.
Just switch um to password admin. You’ll be fine
How many of these “Russia, Russia, Russia” claims are actually our own corrupt IC schemes, or Biden’s Chinese friends doing it.... Or just outright 0’Biden regime lies meant to push us closer into Armageddon?
(Fancy Bear is believed to have been behind intrusions into the US Democratic Party’s computers during the 2016 US presidential race,)
Well of course.
The Russians cheated Hillary out of her win!
Launch the ICBMs now!!
Why does this sound like a construct and why do I question the assertions of the government?
Hmmmmm....
What’s really weird is my router IS working!
I’m spit balling here, but I don’t think they “shut down” whatever operation it was. I think they just commandeered it for its own use against Americans.
Are these the people who claim to have hijacked my webcam and recorded me doing unspeakable and sordid things to myself?
Russia has its own brilliant engineers. It is China that has to steal everything.
One blatant bald-faced lie like that throws a lot of shade on the credibility of the rest of the press release.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.