About Teletype
Join
Overkill Security
@overkill_security
keypoints
August 20, 2024

Threat Actors Love Ubiquiti. A Match Made in Cyber Heaven

Threat Actor's operations have targeted various industries, including Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation. The targeted countries include the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US, with a strategic focus on individuals in Ukraine.

Potential consequences and impacts on these affected industries include:

πŸ“Œ Data breaches and theft of sensitive information, intellectual property, or trade secrets.

πŸ“Œ Disruption of critical infrastructure operations, such as power grids, transportation systems, or manufacturing processes.

πŸ“Œ Compromise of government networks and systems, potentially leading to espionage or national security threats.

πŸ“Œ Financial losses due to operational disruptions, theft of customer data, or reputational damage.

πŸ“Œ Potential safety risks if control systems or operational technology (OT) networks are compromised.

πŸ“Œ Loss of customer trust and confidence in the affected organizations.

MITRE ATT&CK TTPs

Resource Development:

T1587 (Develop Capabilities): APT28 authored custom Python scripts to collect webmail account credentials.

T1588 (Obtain Capabilities): APT28 accessed EdgeRouters compromised by the Moobot botnet, which installs OpenSSH trojans.

Initial Access:

T1584 (Compromise Infrastructure): APT28 accessed EdgeRouters previously compromised by an OpenSSH trojan.

πŸ“Œ T1566 (Phishing): APT28 conducted cross-site scripting and browser-in-the-browser spear-phishing campaigns.

Execution:

T1203 (Exploitation for Client Execution): APT28 exploited the CVE-2023-23397 vulnerability.

Persistence:

πŸ“Œ T1546 (Event Triggered Execution): The compromised routers housed Bash scripts and ELF binaries designed to backdoor OpenSSH daemons and related services.

Credential Access:

πŸ“Œ T1557 (Adversary-in-the-Middle): APT28 installed tools like Impacket ntlmrelayx.py and Responder on compromised routers to execute NTLM relay attacks.

πŸ“Œ T1556 (Modify Authentication Process): APT28 hosted NTLMv2 rogue authentication servers to modify the authentication process using stolen credentials from NTLM relay attacks.

Collection:

πŸ“Œ T1119 (Automated Collection): APT28 utilized CVE-2023-23397 to automate the collection of NTLMv2 hashes.

Exfiltration:

πŸ“Œ T1020 (Automated Exfiltration): APT28 utilized CVE-2023-23397 to automate the exfiltration of data to actor-controlled infrastructure.

Overkill Security
August 20, 2024, 08:14
0Β reactions
0Β views