The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets.
Moobot can be used to remote-control compromised devices and launch attacks against networks.
Non-GRU cybercriminals installed Moobot on Ubiquiti Edge OS routers using publicly known default administrator passwords, we're told.
The botnet targeted organizations that are of interest to the Russian government, including US and foreign governments and military, security, and corporate organizations.
In December Microsoft said the Fancy Bear crew had been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets such as government, defense, and aerospace agencies in the US and Europe, though didn't say if a botnet was used in the attacks.
Earlier this week it emerged Kremlin agents had been caught misusing OpenAI's models to generate phishing emails and malicious software scripts.
According to American prosecutors, the Feds were able to instruct the Moobot botnet to copy and delete malicious files - including the malware itself - and any stolen data on the compromised routers, likely similar to what the DOJ did with the recent Volt Typhoon KV botnet takedown.
That is to say, Uncle Sam was able to prevent Russia's use of the botnet by firewalling off remote management access, scrubbed the malware from the routers, and also inspected the Kremlin's handiwork on the infect equipment.
All this was carried out with the consent of the owners of infected equipment, we're told.
Plus, the Feds said, users can rollback Uncle Sam's firewall rule changes via factory resets, or the routers' web-based user interface, though bear in mind a reset potentially leaves devices open to hijacking again if one doesn't change the admin password from the default.
FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet Fancy Bear goes phishing in US, European high-value networks OpenAI shuts down China, Russia, Iran, N Korea accounts caught doing naughty things China's Volt Typhoon spies broke into emergency network of 'large' US city.
This is the second time in as many months that the Feds claim to have upended a state-sponsored botnet.
The first, announced in January, belonged to China's Volt Typhoon, which had abused hundreds of outdated Cisco and Netgear boxes to break into energy facilities, emergency networks and other US critical infrastructure orgs.
Fancy Bear is believed to have been behind intrusions into the US Democratic Party's computers during the 2016 US presidential race, and they have continued to try to disrupt elections ever since.
This Cyber News was published on go.theregister.com. Publication date: Thu, 15 Feb 2024 21:43:04 +0000