That home router botnet the Feds took down? Moscow's probably going to try again

Authorities from eleven nations have delivered a sequel to the January takedown of a botnet run by Russia on compromised Ubiquiti Edge OS routers – in the form of a warning that Russia may try again, so owners of the devices should take precautions.

Revealed in February, the takedown was led by US authorities and at the time was said to have "disabled" a campaign staged by Russia's GRU military intelligence unit. The crew cracked the SOHO routers and infected them with malware named Moobot – a variant of the infamous Mirai malware.

Moobot allowed GRU and its minions to install and run scripts to build a 1,000-strong botnet, which it used for power phishing, spying, credential harvesting, and data theft.

Given the triumphant tone of the takedown announcement, Ubiquiti users may have felt they were no longer at risk.

But on Tuesday the FBI issued a joint advisory [PDF] on behalf of the US, Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom. The document urges Ubiquiti owners to get patching.

"Owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises," the document cautions.

Those actions are:

• Perform a hardware factory reset;
• Upgrade to the latest firmware version;
• Change any default usernames and passwords;
• Implement strategic firewall rules on WAN-side interfaces.

The advisory also offers more detail on how GRU – specifically 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium) – went about its dirty deeds.

• Fancy Bear goes phishing in US, European high-value networks
• Russia throws founder of infosec biz Group-IB in the clink for treason
• Russia's APT28 targets Ukraine government with bogus Windows updates
• Cow-counting app abused by China 'to spy on US states'

At the time of the takedown, US authorities remarked that this botnet differed from past GRU efforts in that it used off-the-shelf malware. The advisory reveals that APT28 also wrote its own package for this heist.

Called MASEPIE, the malware was directed by the Ubiquiti-based botnet and is described as "a small Python backdoor capable of executing arbitrary commands on victim machines."

"Data sent to and from the EdgeRouters was encrypted using a randomly generated 16-character AES key," the advisory explains.

Moscow's minions also used adversary-controlled SSH RSA keys to establish reverse SSH tunnels and access compromised devices.

The document details indicators of compromise – offering bash histories to help netadmins understand the attack and spot evil downloads used by the botnet's masters.

All of which is lovely – assuming owners of Ubiquiti devices know how to access bash histories. Most won't. Nor will they be comfortable performing firmware upgrades.

And those recommended strategic firewall rules on WAN-side interfaces? The document doesn't explain them at all. If you don't already know how to do that, the FBI offers no help.

This is why we can't have nice things. ®