Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks

This shows that securing internet facing routers remains highly important. The last section of this entry provides a guide for network defenders.

Ngioweb malware found on EdgeOS

While investigating the Linux botnet that was partially taken down by the FBI and international partners in January 2024, we found another Linux botnet with malware running on some of the same EdgeRouters that were abused by Pawn Storm. This botnet is more discreet, with better operational security, with the associated malware running in memory only as far as we could tell, with no malicious files left on-disk. By investigating memory dumps and the C&C connections the bots made, we found them to be a version of the Ngioweb malware that was described in three separate blog posts from 2018 to 2020 . We have evidence that the bots in this botnet are being utilized in a residential botnet that is commercially available to paying subscribers. We will share the indicators of this botnet for network defenders, and we plan on releasing a full analysis of the botnet in the future.

The fact that we found at least three significant threat actors on some of the EdgeRouters shows that they have a sizeable interest in compromising internet-facing routers.

Outlook and conclusion

Cyberiminals and APT groups use anonymization tools to blend their malicious activity in with benign normal traffic. Commercial VPN services and commercially available residential proxy networks are popular options for these types of activities.

Internet-facing devices like SOHO routers are also a popular asset for criminal purposes and espionage. While some of the networks of compromised SOHO routers may look like a zoo that anybody can abuse, especially when default credentials remain valid, malicious actors can capitalize on this noisy environment for their own benefit and make use of them discreetly.

In the specific case of the compromised Ubiquiti EdgeRouters, we observed that a botnet operator has been installing backdoored SSH servers and a suite of scripts on the compromised devices for years without much attention from the security industry, allowing persistent access. Another threat actor installed the Ngioweb malware that runs only in memory to add the bots to a commercially available residential proxy botnet. Pawn Storm most likely easily brute forced the credentials of the backdoored SSH servers and thus gained access to a pool of EdgeRouter devices they could abuse for various purposes.

Recommendations

SOHO owners and operators must be aware of the risks presented by a backdoored version of OpenSSH. These implants are difficult to detect — legitimate credentials remain valid, but the server accepts an additional root password that is only known by the attackers when remotely authenticating clients. Disabling root access via sshd_config doesn’t help since the backdoored code is ready to bypass it. To check for the presence of the backdoor, here are our recommendations for EdgeRouter device owners:

Use the verbose option of your SSH command-line client to see the banner your device (acting as a server) gives you. The following example shows a banner from a EdgeRouter model ER-X-SFP whose IP address is 192.168.50.85:

$ ssh -v
–snip–
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u7
–snip–

You can then press Ctrl+C without needing to log in to the device.

Since EdgeOS is based on Debian GNU/Linux, you should see a banner that includes the “Debian” string. Also, the OpenSSH version must match with an existing release number. The previous example shows that the server is running OpenSSH version 7.4p1, which is an official one.

Users who are comfortable with the command line interface can also perform the following additional steps:

1. Log in to your device using the web administration page (to avoid credential theft in case your device has already been backdoored) and temporarily enable telnet.

2. Log in via telnet.

3. Search for sshd_config files and check if they have a GatewayPorts configuration option set to “yes”:

$ (find / -type f -name sshd_config -exec grep Gate {} +;) 2>/dev/null

If the output contains the string “GatewayPorts yes” and you don’t recognize this setting, it might be a sign the device is compromised.

4. Check the hashes of all sshd binaries in your device. If any of them is on the IOC list section, the device might be compromised:

$ (find / -type f -name sshd -exec shasum {} +;) 2>/dev/null

5. Log in using the web UI again and disable telnet.

If you suspect the device is backdoored, you may want to perform a factory reset and choose a strong password. Also, consider not allowing connections to the router’s administrative interface from the internet. For system administrators and SOHO owners, we have written a script that be found here <<insert link>>. This script can be run locally on routers and will assist in finding compromises related to Water Zmeu.

Indicators of Compromise

For the indicators of compromise for this entry, please refer to this document.

Read More HERE