Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
Aug. 7, 2024, 4:41 p.m.
Tags
External References
Description
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybercriminals renting out compromised routers and nation-state threat actors like Pawn Storm and Sandworm using dedicated proxy botnets. The analysis focuses on a criminal botnet of Ubiquiti EdgeRouters, disrupted by the FBI in January 2024, which Pawn Storm accessed in April 2022 for persistent espionage campaigns.
Date
Published: Aug. 7, 2024, 4:16 p.m.
Created: Aug. 7, 2024, 4:16 p.m.
Modified: Aug. 7, 2024, 4:41 p.m.
Indicators
fed8c98fc754aff95f8538b5bebce558eb274256b0265d4482a675b74e93cc93
f88d12332d2f58459f989c7c41b5381e8aed9c8c30c1d11373f0d1eb0b340b9a
f6541b569787aa050c54ad85976ac5b729697a022be188b0040d37aa91e49ae2
ef6fe4140001cb099968acd5772452859adbe7b57496389fbbf2342f9047b962
edefd297285090fe743f5c3b111bce54da40f43a32e15d8fa87b8a2c243f6d47
e3ba85e0bc978013b145ebb4c2d583b33422da93787ab8fb2185b55478652d91
dfc86b375e974b3092bbff41eb24db3281fb4fc104f1043a7afbf95f85a2c1d5
c290ab5d8ce9fcaa91da3b488c93dee1a4d0581c1335f19cb48027a5a03fe525
bd0ea597f24bb72f8db34b6b6d2c0bc70eb53df9eae40cdb216a13521145ab03
ad3fd3eb7a3a276ec0d384afb5b75fe7d9fc047bb0dab40f9d55870d4520c1f3
a4a95807f1c5b200d5d94e3e811a7c4af2d0d9ca88ca4d7f9d02015574f4716f
95995686b9af8b56c3fed1dadccf8b2ed5f417bb4eb8947a406a6e943cca33c6
944be9bb167a2f76fe2f539d3860bbf26301830c479bc68509af46e047993c8c
88f2d42bf225c930bc644f82bbd229e170d53dd1072e846e2883265a7ac33301
85a4151d790ab32d5321c6e71748b2446032e1775aedd0168be25f76bf4fe93f
844cc1807cc5b628b7aa807ef3b682d051c8ad5427df3d3e36c7e7633bfc5768
681a00df2e2cc680a4b68bdb6fe7d55c34d6d3fc35d462c78ebb659f9cb2cd60
4d35ae9669db428b72b1aaadd21dbed44ad2fc678efc8110d89ff723e0497406
53d687868fd7ab9e78aa09f696923bd3c057e4e50432d07210080474a8d879cb
4a932ccc8a45db6897a11de118cdbf67062569112f1caa69793669c5c24be708
2f182a6cb72712c340c2adb43843cfccb5916d236485de1c62fb40c883570824
2ae805b68d7408cc40ad058bc0b8b2b5c29d77760084a5230448e47cec1c43f4
28aee94e9a3f6c4296663bb853a5af5817ae109f066c88b7a245316a9a1e4712
2847ae693533406defecb226bfe6d62dd36905ff07add4e773426bde83e85ddc
17257ce42246b8c47f9ec639a6ffaca2bc14c21a22c4419bf468e3f1d491e330
104e3ea9a190ba039488f5200824fe883b98f6fe01d05a1b55e15ed2199c807a
0891588667da40da58ffaa8fedcddb0a9a172646ec12e6d0b9ce2acc2caa302b
86.123.151.53
32.143.50.222
24.88.87.29
193.34.166.176
185.62.58.141
185.227.137.200
184.75.134.59
185.62.58.20
172.114.170.18
xfgjgjkuykykgihguifdt.mywire.org
vrrumover0.vrrum0.farted.net
trompadiom.tutotame.bigbox.info
terminal.ooguy.com
speddot.seburn.net
puffypuf.gleeze.com
mumucnc.kozow.com
moreover.lostgumball.com
kjskrvmwerffssd.kozow.com
li4858member.possessed.us
gopremium.mooo.com
founderside.joseulloa.cl
enforcer.mywire.org
dfgtjytdfs.work.gd
clientrun.compuinter.com
changepassword.giize.com
underuvukent.com
subonuker.name
ultradomafy.net
semiridinution-postepudency.com
minixetepate.biz
promexucate.com
macrofocafify.org
interocakate.com
emelenalike.com
decumify.net
antihicipate.com
packinstall.kozow.com
Attack Patterns
Ngioweb
SSHDoor
Pawn Storm
T1609
T1568
T1211
T1588
T1556
T1091
T1583
T1567
T1189
T1598
T1071
T1219
T1592
T1190
T1090