Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security United States

DOJ Quietly Removed Russian Malware From Routers in US Homes and Businesses (arstechnica.com) 71

An anonymous reader shares a report: More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department. That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to "conceal and otherwise enable a variety of crimes," the DOJ claims, including spearphishing and credential harvesting in the US and abroad.

Unlike previous attacks by Fancy Bear -- that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers -- the Ubiquiti intrusion relied on a known malware, Moobot. Once infected by "Non-GRU cybercriminals," GRU agents installed "bespoke scripts and files" to connect and repurpose the devices, according to the DOJ. The DOJ also used the Moobot malware to copy and delete the botnet files and data, according to the DOJ, and then changed the routers' firewall rules to block remote management access. During the court-sanctioned intrusion, the DOJ "enabled temporary collection of non-content routing information" that would "expose GRU attempts to thwart the operation." This did not "impact the routers' normal functionality or collect legitimate user content information," the DOJ claims. "For the second time in two months, we've disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised US routers," said Deputy Attorney General Lisa Monaco in a press release.

This discussion has been archived. No new comments can be posted.

DOJ Quietly Removed Russian Malware From Routers in US Homes and Businesses

Comments Filter:
  • Really? (Score:5, Insightful)

    by derplord ( 7203610 ) on Friday February 16, 2024 @02:22PM (#64245478)

    > only those that had not changed their default administrative password
    So, ubnt/ubnt?

    2023/2024 and people still don't change default pw? Seriously?

    • Not on any important system where they reckon that passwords have to obvious so they could always get access. Sarcasm much
      • Not on any important system where they reckon that passwords have to obvious so they could always get access. Sarcasm much

        Sarcasm much? Maybe just a twitch ;)

    • > 2023/2024 and people still don't change default pw? Seriously?

      It's 2024 and people are still idiots, yes. Humans will be idiots in 2524 also (barring grand genetic re-engineering).

      I'm against direct banning of default passwords, but I'd like to see prominent warning labels/intros required by law.

      • by iAmWaySmarterThanYou ( 10095012 ) on Friday February 16, 2024 @03:28PM (#64245768)

        Forced password change on setup isn't that hard.

      • by MachineShedFred ( 621896 ) on Friday February 16, 2024 @03:49PM (#64245868) Journal

        Or how about a default where they don't make the admin interface or SSH available on the configured WAN port unless you explicitly enable it, and confirm a box that says exactly what you are doing, and what the risks are.

        There's no fucking reason to default the admin interface as available to 0.0.0.0/0 on a multi-port router that supports proper IPSec VPN tunnels and even installing VPN clients and configuring them as an additional interface for routing. That's a shitty default on Ubiquiti's part, and should have been changed years ago.

      • by HiThere ( 15173 )

        You're revealing extreme tunnel vision. Most people don't understand computers...but many of them understand things that YOU are totally ignorant of. Guaranteed, no matter who you are. There's too much stuff in the world today for anyone to know it all.

        • You're revealing extreme tunnel vision. Most people don't understand computers...but many of them understand things that YOU are totally ignorant of. Guaranteed, no matter who you are. There's too much stuff in the world today for anyone to know it all.

          Damn I wish I had mod points. +1 Insightful!

          This is also what is wrong with politics, BTW. People think they are experts at every issue when they don't have a clue about most of it.

  • by sinkskinkshrieks ( 6952954 ) on Friday February 16, 2024 @02:25PM (#64245492)
    I don't trust anything else they offer except their on-prem, self-hosted UniFi app that runs without cloud features to control APs. Anyone with any sense should use a real router fit for purpose. OPNsense is just one example.
    • by sinkskinkshrieks ( 6952954 ) on Friday February 16, 2024 @02:31PM (#64245510)
      2/ Ubiquiti uses embedded Linux in its Wi-Fi devices. These device are "adoptable" in factory reset conditions but are able to be reprogrammed with a different SSH password as part of their management. If they followed modern industry-standard security practices, their default passwords would've been factory printed as pseudo random strings printed as text and QR codes on each physical device. Hell, even the worst service-provider cable modems have done this with default Wi-Fi passwords for a decade.
    • by MachineShedFred ( 621896 ) on Friday February 16, 2024 @02:45PM (#64245562) Journal

      Ubiquiti routers are basically a fork of Vyatta (a.k.a. a different fork than VyOS that Ubiquiti maintains) running on standard MIPS64 hardware that requires absolutely no "cloud" anything to set up, maintain, and operate. How is that not a "real router fit for purpose" ?

      • by bill_mcgonigle ( 4333 ) * on Friday February 16, 2024 @03:10PM (#64245688) Homepage Journal

        > How is that not a "real router fit for purpose" ?

        Their track record on being diligent on security updates is lacking.

        At least with Unifi many users are on old vulnerable builds because newer builds broke DHCP on older hardware and the newer hardware on newer builds doesn't play well with older hardware on older builds.

        "Just buy new Unifi hardware!"

        Many people saw that as a clear signal to move on.

        • by MachineShedFred ( 621896 ) on Friday February 16, 2024 @03:41PM (#64245838) Journal

          It's running a Debian flavor at it's core.

          If you're so worried about security updates, add the appropriate apt repo and update it yourself. This isn't a consumer router unless you want it to be. You can SSH into it, update /etc/apt/sources.list.d and update / upgrade packages from the Debian repo.

          You aren't locked into just their updates.

  • Whether this is warranted or not, it will fuel gov't skeptics and conspiracists.

    It may also generate invasion-of-privacy lawsuits. Is there a better way to go about it?

    • Whether this is warranted or not, it will fuel gov't skeptics and conspiracists.

      It may also generate invasion-of-privacy lawsuits. Is there a better way to go about it?

      yeah but they also quietly replaced the Russian malware with their own, for national security.

      • by Tablizer ( 95088 )

        > but they also quietly replaced the Russian malware with their own [US gov't snoopware], for national security.

        I assume you are joking, otherwise we at Slashdot expect clear evidence of such claims.

        • by guruevi ( 827432 )

          The fact they did it secretly without telling anyone should tell you.

        • > but they also quietly replaced the Russian malware with their own [US gov't snoopware], for national security.

          I assume you are joking, otherwise we at Slashdot expect clear evidence of such claims.

          No problem.
          Cisco.
          Good enough?

        • > but they also quietly replaced the Russian malware with their own [US gov't snoopware], for national security.

          I assume you are joking, otherwise we at Slashdot expect clear evidence of such claims.

          1. Its the USA. Did you learn nothing from Snowden?
          2. They did it secretly.
          3. Because of course they would.

      • Then feel free to reset your router to factory, and reload your backed up config. It only takes a few minutes of time.

        You did back up the config on your enterprise-grade router after you got it configured, yeah?

        Oh, no backup of your running configs to a safe place? Sounds like you have a process problem.

    • > Is there a better way to go about it?

      Notify the ISP.

      They will notify the customer and later blackhole the CPE until the attacks stop. Admins who call will be told what's going on.

      But does that set a useful legal precedent?

    • If people are super concerned about that, then they can choose to do one, or all, or any subset of the following actions:

      1. change your fucking default password on your router so you don't get crapped up with Russian malware
      2. disable the admin interface from being available on the port with a route to 0.0.0.0/0
      3. disable SSH access unless you are actually using it (I believe this defaults "off" anyway)

    • by HiThere ( 15173 )

      In my mind, this is unconstitutional government action. It's also action that was needed. The US Constitution was designed for a much different world, and wouldn't work in the modern world, so the government often ignores it, and this usually causes no problem. This is an example.

      Perhaps there were better, legal, ways to solve the problem, but the govt. is in the habit of ignoring constitutional restrictions, so they just went ahead and acted. Note that this time they appear to have acted for the good o

      • by hey! ( 33014 )

        It's one of those things that *feels* like it ought to be unconstitutional, but in fact if you follow these things it turns out what how the Constitution applies to such modern problems is often full of weird twists and corner cases. Back in 1986 Congress passed a huge raft of new statutory law [wikipedia.org] specifically to patch privacy holes in computer related stuff that anyone could see *should* be unconstitutional, but wasn't.

        *Administrative inspections* are held to a much lower standard of scrutiny than *criminal

        • by HiThere ( 15173 )

          A law can't, officially, modify the constitution. That seems to be an example of what I mean about the govt. ignoring the constitution. Occasionally a challenge will wend it's way through the courts and the Supreme Court will look at it. And come to a decision on some basis. Frequently they brutally twist the meanings of the words. (Consider the interstate commerce clause being used to prevent someone growing something for their own use on their own land.)

          • Laws donâ(TM)t modify the Constitution. They exercise the power and discretion the Constitution gives Congress to solve problems the framers couldnâ(TM)t anticipate . In the case I cited that was a perfect example: data privacy. If you wrote a bill of rights today thereâ(TM)d surely be a lot in it about data privacy, but at the time of the framing they couldnâ(TM)t know the ways a government can intrude on your privacy that arenâ(TM)t a physical intrusion or confiscation of a physic

      • by jvkjvk ( 102057 )

        >In my mind, this is unconstitutional government action.

        What part of it? "Intrusion" onto their property or fixing their shit?

        Since they were pursuing criminals, intrusion is normally accepted for police. They generally won't fix your stuff though. Except that this stuff was doing illegal things. Can't have that. Since it is a National Security Issue lots of things also aren't unconstitutional, like telling people you fixed it.

        So what part is unconstitutional ?

  • I'm sure they just patched it up and left nothing of their own behind right?
  • Is it, morally or legally, "right" to hack a system to keep it from being abused in a hack?

    • by Slayer ( 6656 )

      Is it, morally or legally, "right" to hack a system to keep it from being abused in a hack?

      Think "state monopoly on the use of force" to draw the line. It is morally and legally right for a country (or it's gov't) to fend off a threat to herself, and that's what the spooks apparently did, while causing minimal to no collateral damage in the process. Even wiping all these poorly administrated and unmaintained routers off the face of the internet would have been fair game at this point.

      • Careful there, the "this is a threat to the state and we have to meet it" argument has been used in the last century way too often to justify installing an oppressive regime.

        I'd rather accept a few crappy routers than the Gestapo kicking in my door because I'm a threat to the state because I question it.

        • by Slayer ( 6656 )

          Careful there, the "this is a threat to the state and we have to meet it" argument has been used in the last century way too often to justify installing an oppressive regime.

          The difference between a working democracy an oppressive regime is not the existence or nonexistence of an active police force and military, but their public oversight, and consequences for abuse of power. So yes, we need to look very carefully, if the government pwns routers or bangs down doors, and as a matter of fact, we discuss this here, because we're part of an open debate about this. Public oversight is running its course here. Good.

          I'd rather accept a few crappy routers than the Gestapo kicking in my door because I'm a threat to the state because I question it.

          This was not about a few bozos holding on to their unpatched Netgear

    • by gweihir ( 88907 )

      This is illegal in most of the EU and a court cannot order or authorize it. What would be legal is to ask ISPs to notify customers and/or have the ISP block them. But you cannot legally change the configuration or software on a device without explicite consent of the device owner.

      What we need is some international laws to fix this situation. I am against "legal" hacking (far too much opportunities for the surveillance-fascists), but notify-then-block may be improved. For example, you could have a national a

  • by Gabest ( 852807 ) on Friday February 16, 2024 @05:59PM (#64246300)

    They just had to hack into every router to see which one was infected.

Measure with a micrometer. Mark with chalk. Cut with an axe.

Working...