DOJ Quietly Removed Russian Malware From Routers in US Homes and Businesses (arstechnica.com) 71
An anonymous reader shares a report: More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department. That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to "conceal and otherwise enable a variety of crimes," the DOJ claims, including spearphishing and credential harvesting in the US and abroad.
Unlike previous attacks by Fancy Bear -- that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers -- the Ubiquiti intrusion relied on a known malware, Moobot. Once infected by "Non-GRU cybercriminals," GRU agents installed "bespoke scripts and files" to connect and repurpose the devices, according to the DOJ. The DOJ also used the Moobot malware to copy and delete the botnet files and data, according to the DOJ, and then changed the routers' firewall rules to block remote management access. During the court-sanctioned intrusion, the DOJ "enabled temporary collection of non-content routing information" that would "expose GRU attempts to thwart the operation." This did not "impact the routers' normal functionality or collect legitimate user content information," the DOJ claims. "For the second time in two months, we've disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised US routers," said Deputy Attorney General Lisa Monaco in a press release.
Unlike previous attacks by Fancy Bear -- that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers -- the Ubiquiti intrusion relied on a known malware, Moobot. Once infected by "Non-GRU cybercriminals," GRU agents installed "bespoke scripts and files" to connect and repurpose the devices, according to the DOJ. The DOJ also used the Moobot malware to copy and delete the botnet files and data, according to the DOJ, and then changed the routers' firewall rules to block remote management access. During the court-sanctioned intrusion, the DOJ "enabled temporary collection of non-content routing information" that would "expose GRU attempts to thwart the operation." This did not "impact the routers' normal functionality or collect legitimate user content information," the DOJ claims. "For the second time in two months, we've disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised US routers," said Deputy Attorney General Lisa Monaco in a press release.
Really? (Score:5, Insightful)
> only those that had not changed their default administrative password
So, ubnt/ubnt?
2023/2024 and people still don't change default pw? Seriously?
Re: Really? (Score:2)
Re: (Score:2)
Not on any important system where they reckon that passwords have to obvious so they could always get access. Sarcasm much
Sarcasm much? Maybe just a twitch ;)
Re: (Score:2)
Obviously, he got married to a western society woman.
Re: (Score:2, Troll)
Only someone with a severe brain worm infestation would attempt to conflate securing bad default router credentials with some unhinged piss-and-moan about women being able to live their lives the way they fucking want to without being judged by some random dipshit on the Internet (you).
Re: (Score:2)
No one gets to live without being judges by other humans. It's what we do. It's a human thing. We judge others. Always have and always will.
Require warning labels (Score:1)
> 2023/2024 and people still don't change default pw? Seriously?
It's 2024 and people are still idiots, yes. Humans will be idiots in 2524 also (barring grand genetic re-engineering).
I'm against direct banning of default passwords, but I'd like to see prominent warning labels/intros required by law.
Re:Require warning labels (Score:5, Insightful)
Forced password change on setup isn't that hard.
Re:Require warning labels (Score:5, Insightful)
Or how about a default where they don't make the admin interface or SSH available on the configured WAN port unless you explicitly enable it, and confirm a box that says exactly what you are doing, and what the risks are.
There's no fucking reason to default the admin interface as available to 0.0.0.0/0 on a multi-port router that supports proper IPSec VPN tunnels and even installing VPN clients and configuring them as an additional interface for routing. That's a shitty default on Ubiquiti's part, and should have been changed years ago.
Re: (Score:2)
You're revealing extreme tunnel vision. Most people don't understand computers...but many of them understand things that YOU are totally ignorant of. Guaranteed, no matter who you are. There's too much stuff in the world today for anyone to know it all.
Re: (Score:2)
You're revealing extreme tunnel vision. Most people don't understand computers...but many of them understand things that YOU are totally ignorant of. Guaranteed, no matter who you are. There's too much stuff in the world today for anyone to know it all.
Damn I wish I had mod points. +1 Insightful!
This is also what is wrong with politics, BTW. People think they are experts at every issue when they don't have a clue about most of it.
While Ubiquiti makes good Wi-Fi gear.. (Score:5, Insightful)
Re:While Ubiquiti makes good Wi-Fi gear.. (Score:4, Insightful)
Re:While Ubiquiti makes good Wi-Fi gear.. (Score:5, Interesting)
Ubiquiti routers are basically a fork of Vyatta (a.k.a. a different fork than VyOS that Ubiquiti maintains) running on standard MIPS64 hardware that requires absolutely no "cloud" anything to set up, maintain, and operate. How is that not a "real router fit for purpose" ?
Re:While Ubiquiti makes good Wi-Fi gear.. (Score:4, Interesting)
> How is that not a "real router fit for purpose" ?
Their track record on being diligent on security updates is lacking.
At least with Unifi many users are on old vulnerable builds because newer builds broke DHCP on older hardware and the newer hardware on newer builds doesn't play well with older hardware on older builds.
"Just buy new Unifi hardware!"
Many people saw that as a clear signal to move on.
Re:While Ubiquiti makes good Wi-Fi gear.. (Score:4, Insightful)
It's running a Debian flavor at it's core.
If you're so worried about security updates, add the appropriate apt repo and update it yourself. This isn't a consumer router unless you want it to be. You can SSH into it, update /etc/apt/sources.list.d and update / upgrade packages from the Debian repo.
You aren't locked into just their updates.
Re: (Score:2)
IT ISN'T A CONSUMER-GRADE ROUTER.
If you want consumer, then buy consumer. This is a piece of equipment meant for more complex routing needs, such as edge routing for business remote offices or routers that can be configured and maintained centrally at an ISP level.
If the company deploying these things doesn't know to change an admin password on a piece of critical networking gear, they also need to hire someone that knows what the fuck they are doing.
Will set foil hats to 11 (Score:2)
Whether this is warranted or not, it will fuel gov't skeptics and conspiracists.
It may also generate invasion-of-privacy lawsuits. Is there a better way to go about it?
Re: (Score:1)
No, if the gov't sneaks on my property to "fix" something without asking or telling, that's usually considered "invasion of privacy" by the gov't even if no direct harm proven. I see no reason why an electronic box should have different rules than physical property. Similarly, "trespassing" doesn't require actual harm proven to be considered a crime. (There are a few exceptions for high-stakes national security.)
Re: (Score:2)
Re: (Score:1)
Fire department is usually not the government and the fire department isn't sneaking onto my property, they tend to be rather loud. This would be akin to me starting a camp fire in the summer and the mayor sneaking onto my property with a bucket of water to put it out because he doesn't like the smoke.
Re: (Score:2)
Re: (Score:1)
My door is regularly open where I live, plenty of people leave their garage doors open during the summer. Maybe if you didn't live in such a shithole city, you would find that normal too. But yes, it would be a problem if officers snuck onto my property to close and lock my doors, it is called trespassing and is liable to get someone shot.
As far as the computer realm, if the ISP thinks I should close a security hole, they have a number of recourses they can take, including notification and shutting me down.
Re: (Score:2)
I'm very pro-libertarian/fuck-off-government-asshole but in this case, I see it sort of like if there was a cannon on your property randomly firing live rounds in all directions at your neighbors' homes.
They shouldn't have to wait for a round to hit a house to come on to your property and disable your cannon.
Likewise, there are other situations where you've socially contracted to agree that if other bad things happen on your property they can enter without a warrant. For example, a fire, probable cause of
Re:Will set foil hats to 11 (Score:4, Insightful)
Yours rights are not 100% absolute in all cases.
If this sets a precedent you'll be lucky to get 1% soon.
Re: (Score:2)
There are already many exceptions to our rights.
For example, try to buy a fully automatic rifle. Why doesn't the 2a allow that? Or a cannon? Or a cruise missile with launcher?
When I was on business travel in UK a few years ago, this UK guy from my company was telling his UK table mates that "America is crazy! You can mount a 50 caliber machine gun to your car and drive down the street and no one says anything!" Sigh... I didn't bother to say anything but obviously no you can't do such a thing. Yet y
Re: (Score:1)
The problem is that you weren't shooting any cannons. You were going from private property to private property, the ISP could've cut you off at any point if they deemed it an issue.
Now they "patched" the issue potentially with their own backdoors, who knows.
Re: (Score:2)
1) they could have put their own back doors in anyway with or without this program. Probably did. If not to these particular devices then others.
2) it's like a digital cannon waiting to go off. Once fired it is too late to contact the ISP. The end goal and result is the same in both cases except if you block everyone's router you're more likely to get some congresscritter passing a "hands off our routers!" law that ties their hands on other perfectly legitimate work as well as all the non technical peop
Re: (Score:2)
I think to be consistent, if the government should intervene in a situation like this because the router is on your property, to be consistent then you should be legally and financially responsible for the damage that router does to other peoples' property, at least if it's because you haven't kept it patched and secured.
Re: (Score:1)
Re: (Score:2)
I fully get your point - I am a bit of a privacy nerd - but let's see..
Joe D.(igitaly Illiterate) Random's router is infected. So an employee of a three letter government agency shows up and explains that his router has been used by teh Rusians to attack the DoD and DoJ, and that a software update needs to be installed in order to stop this. What are the chances of our dear Joe allowing this to happen? What are the chances that he'll accuse the government of trying to illegally invade his privacy, or even
Re: (Score:2)
Whether this is warranted or not, it will fuel gov't skeptics and conspiracists.
It may also generate invasion-of-privacy lawsuits. Is there a better way to go about it?
yeah but they also quietly replaced the Russian malware with their own, for national security.
Re: (Score:1)
> but they also quietly replaced the Russian malware with their own [US gov't snoopware], for national security.
I assume you are joking, otherwise we at Slashdot expect clear evidence of such claims.
Re: (Score:2)
The fact they did it secretly without telling anyone should tell you.
Re: (Score:2)
> but they also quietly replaced the Russian malware with their own [US gov't snoopware], for national security.
I assume you are joking, otherwise we at Slashdot expect clear evidence of such claims.
No problem.
Cisco.
Good enough?
Re: (Score:3)
> but they also quietly replaced the Russian malware with their own [US gov't snoopware], for national security.
I assume you are joking, otherwise we at Slashdot expect clear evidence of such claims.
1. Its the USA. Did you learn nothing from Snowden?
2. They did it secretly.
3. Because of course they would.
Re: (Score:2)
Then feel free to reset your router to factory, and reload your backed up config. It only takes a few minutes of time.
You did back up the config on your enterprise-grade router after you got it configured, yeah?
Oh, no backup of your running configs to a safe place? Sounds like you have a process problem.
Re: (Score:1)
I never knowingly leave gizmos with default passwords, but as different family members muck with and switch out gizmos over time, bleep happens. They won't let me be King of All Household Gizmos. (Some argue default passwords should be banned.)
Re: (Score:2)
If the same family members bitching about banning default passwords also won't allow you to be King, then I have no further comment regarding that level of ignorance, other than to say welcome to the neighborhood.
Re: (Score:1)
Humans are idiots, not news. Dilbert is a documentary.
Re: (Score:2)
Humans are idiots, not news. Dilbert is a documentary.
If that were true, we would have raised the voting age to 30 globally by now.
And Dilbert has the luxury of living in a fucking cartoon world.
Re: (Score:1)
> If that were true, we would have raised the voting age to 30 globally by now.
Then you'd get outdated thinking, such as those paranoid of LGBTQ+ because it's "different and icky". But in the US older people tend vote in higher proportion anyhow, so the end result voting profile is close to that anyhow.
> Dilbert has the luxury of living in a fucking cartoon world.
Many of the strips are motivated by actual events that readers sent to the author.
Re: (Score:2)
> If that were true, we would have raised the voting age to 30 globally by now.
Then you'd get outdated thinking, such as those paranoid of LGBTQ+ because it's "different and icky".
Forget any and every current factor such as LGBTQ+. Tell me something; is creating and warping public policy, discourse, and even law to accommodate every feeling and desire that 10% of a society has, worth it at the expense of the other 90%, or should we simply take that math on face value and call it nonsensical and hurtful to society at large? Or better yet, look at the end result. Trust itself, has been destroyed by everyone selling information for profit. We will pay dearly for that.
There is a reas
Re: (Score:2)
After fixing my mother's computer at her request, my dad came along later and fucked it all up because it didn't suit his preferences even though he used it once a year and she did every day.
After I was done ranting, I fixed it again and changed the admin password. Case closed.
Re: (Score:2)
> Is there a better way to go about it?
Notify the ISP.
They will notify the customer and later blackhole the CPE until the attacks stop. Admins who call will be told what's going on.
But does that set a useful legal precedent?
Re: (Score:2)
If people are super concerned about that, then they can choose to do one, or all, or any subset of the following actions:
1. change your fucking default password on your router so you don't get crapped up with Russian malware
2. disable the admin interface from being available on the port with a route to 0.0.0.0/0
3. disable SSH access unless you are actually using it (I believe this defaults "off" anyway)
Re: (Score:2)
In my mind, this is unconstitutional government action. It's also action that was needed. The US Constitution was designed for a much different world, and wouldn't work in the modern world, so the government often ignores it, and this usually causes no problem. This is an example.
Perhaps there were better, legal, ways to solve the problem, but the govt. is in the habit of ignoring constitutional restrictions, so they just went ahead and acted. Note that this time they appear to have acted for the good o
Re: (Score:2)
It's one of those things that *feels* like it ought to be unconstitutional, but in fact if you follow these things it turns out what how the Constitution applies to such modern problems is often full of weird twists and corner cases. Back in 1986 Congress passed a huge raft of new statutory law [wikipedia.org] specifically to patch privacy holes in computer related stuff that anyone could see *should* be unconstitutional, but wasn't.
*Administrative inspections* are held to a much lower standard of scrutiny than *criminal
Re: (Score:2)
A law can't, officially, modify the constitution. That seems to be an example of what I mean about the govt. ignoring the constitution. Occasionally a challenge will wend it's way through the courts and the Supreme Court will look at it. And come to a decision on some basis. Frequently they brutally twist the meanings of the words. (Consider the interstate commerce clause being used to prevent someone growing something for their own use on their own land.)
Re: Will set foil hats to 11 (Score:2)
Laws donâ(TM)t modify the Constitution. They exercise the power and discretion the Constitution gives Congress to solve problems the framers couldnâ(TM)t anticipate . In the case I cited that was a perfect example: data privacy. If you wrote a bill of rights today thereâ(TM)d surely be a lot in it about data privacy, but at the time of the framing they couldnâ(TM)t know the ways a government can intrude on your privacy that arenâ(TM)t a physical intrusion or confiscation of a physic
Re: (Score:2)
>In my mind, this is unconstitutional government action.
What part of it? "Intrusion" onto their property or fixing their shit?
Since they were pursuing criminals, intrusion is normally accepted for police. They generally won't fix your stuff though. Except that this stuff was doing illegal things. Can't have that. Since it is a National Security Issue lots of things also aren't unconstitutional, like telling people you fixed it.
So what part is unconstitutional ?
Re: (Score:1)
I'm glad I don't have mod points right now because I couldn't decide between "Funny" and "Insightful."
Please accept this virtual +2 from me.
Re: (Score:1, Troll)
But I mean, Joe Biden's a whole 4 years older than Trump, so BSAB.
Removed or replaced? (Score:2, Troll)
Interesting question (Score:2)
Is it, morally or legally, "right" to hack a system to keep it from being abused in a hack?
Re: (Score:3)
Is it, morally or legally, "right" to hack a system to keep it from being abused in a hack?
Think "state monopoly on the use of force" to draw the line. It is morally and legally right for a country (or it's gov't) to fend off a threat to herself, and that's what the spooks apparently did, while causing minimal to no collateral damage in the process. Even wiping all these poorly administrated and unmaintained routers off the face of the internet would have been fair game at this point.
Re: (Score:2)
Careful there, the "this is a threat to the state and we have to meet it" argument has been used in the last century way too often to justify installing an oppressive regime.
I'd rather accept a few crappy routers than the Gestapo kicking in my door because I'm a threat to the state because I question it.
Re: (Score:2)
Careful there, the "this is a threat to the state and we have to meet it" argument has been used in the last century way too often to justify installing an oppressive regime.
The difference between a working democracy an oppressive regime is not the existence or nonexistence of an active police force and military, but their public oversight, and consequences for abuse of power. So yes, we need to look very carefully, if the government pwns routers or bangs down doors, and as a matter of fact, we discuss this here, because we're part of an open debate about this. Public oversight is running its course here. Good.
I'd rather accept a few crappy routers than the Gestapo kicking in my door because I'm a threat to the state because I question it.
This was not about a few bozos holding on to their unpatched Netgear
Re: (Score:2)
This is illegal in most of the EU and a court cannot order or authorize it. What would be legal is to ask ISPs to notify customers and/or have the ISP block them. But you cannot legally change the configuration or software on a device without explicite consent of the device owner.
What we need is some international laws to fix this situation. I am against "legal" hacking (far too much opportunities for the surveillance-fascists), but notify-then-block may be improved. For example, you could have a national a
Nice (Score:3)
They just had to hack into every router to see which one was infected.