Threat Research

Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks

TrendMicro

Trend Micro researchers analyze how cybercriminals and nation-state actors exploit internet-facing routers to create anonymization networks, focusing on Pawn Storm’s use of EdgeRouters and related botnets. The analysis covers post-FBI disruption activity, cross-actor usage of proxy networks, and defender guidance for SOHO networks. Hashtags: #PawnStorm #EdgeRouter #Sandworm #Ngioweb #Ubiquiti #FBI

Keypoints

  • Cybercriminals and nation state actors share a common interest in compromised routers that are used as an anonymization layer.
  • Cybercriminals rent out compromised routers to other criminals, and most likely also makes them available to commercial residential proxy providers.
  • Nation-state threat actors like Sandworm used their own dedicated proxy botnets, while APT group Pawn Storm had access to a criminal proxy botnet of Ubiquiti EdgeRouters
  • The EdgeRouter botnet used by Pawn Storm (disrupted by the US FBI in January 2024) goes back to 2016.
  • The botnet also includes other routers and virtual private servers (VPS). After the disruption, the botnet’s operator managed to move over bots to command-and-control (C&C) infrastructure that had been newly set up.
  • On some compromised EdgeRouters, we found activity from two significant cybercriminal groups and one nation-state threat actor (Pawn Storm)
  • It is of paramount importance to secure routers and only expose them to incoming internet connections only when it is critical for the business. We provide advice for network defenders and Small Office/Home Office (SOHO) network administrators to scan their routers for indications of them being used by nation-state threat actors and cybercriminals.

MITRE Techniques

  • [T1059.004] Unix Shell – Bash scripts used to execute commands and gather host data on compromised devices. “…collection of bash scripts, Python scripts, and a few malicious Linux binaries like SSHDoor.”
  • [T1059.006] Python – Python scripts used as part of the botnet toolkit. “…collection of bash scripts, Python scripts, and a few malicious Linux binaries like SSHDoor.”
  • [T1021.004] SSH – SSH tunneling and use of SSH as a remote service to manage compromised devices. “…Shell scripts, SSH tunneling”
  • [T1566.001] Phishing – Credential phishing and spear phishing via emails/sites used to harvest credentials. “…sending spear phishing e-mails”
  • [T1550.003] NTLM Relay – NTLMv2 hash relay attack to move across compromised hosts. “…NTLMv2 hash relay attack”
  • [T1090] Proxy – Use of proxy networks to mask traffic and hide C2 activity. “proxy service”
  • [T1136] Create Account – Adding backdoor access by placing a public key in authorized_keys. “…added a public key to /root/.ssh/authorized_keys”

Indicators of Compromise

  • [IPv4] Command and control/proxy infrastructure – 32.143.50.222, 185.227.137.200
  • [Domain] Phishing infrastructure – webhook.site, ukr.net
  • [File] Backdoor credential stores – /root/.ssh/authorized_keys, /tmp/.zZtemp
  • [URL] Patch/backdoor source – https://github.com/jivoi/openssh-backdoor-kit

Read more: https://www.trendmicro.com/en_us/research/24/e/router-roulette.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint