Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks

Aug. 7, 2024, 4:41 p.m.

Description

TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybercriminals renting out compromised routers and nation-state threat actors like Pawn Storm and Sandworm using dedicated proxy botnets. The analysis focuses on a criminal botnet of Ubiquiti EdgeRouters, disrupted by the FBI in January 2024, which Pawn Storm accessed in April 2022 for persistent espionage campaigns.

External References

https://otx.alienvault.com/pulse/66b39de921cdfe8b6ebcc220
Tags
espionage
botnet
cybercrime
proxy
2024-08-07
routers
ngioweb
sshdoor

Date

  • Created: Aug. 7, 2024, 4:16 p.m.
  • Published: Aug. 7, 2024, 4:16 p.m.
  • Modified: Aug. 7, 2024, 4:41 p.m.

Indicators

  • fed8c98fc754aff95f8538b5bebce558eb274256b0265d4482a675b74e93cc93
  • f88d12332d2f58459f989c7c41b5381e8aed9c8c30c1d11373f0d1eb0b340b9a
  • f6541b569787aa050c54ad85976ac5b729697a022be188b0040d37aa91e49ae2
  • ef6fe4140001cb099968acd5772452859adbe7b57496389fbbf2342f9047b962
  • edefd297285090fe743f5c3b111bce54da40f43a32e15d8fa87b8a2c243f6d47
  • e3ba85e0bc978013b145ebb4c2d583b33422da93787ab8fb2185b55478652d91
  • dfc86b375e974b3092bbff41eb24db3281fb4fc104f1043a7afbf95f85a2c1d5
  • c290ab5d8ce9fcaa91da3b488c93dee1a4d0581c1335f19cb48027a5a03fe525
  • bd0ea597f24bb72f8db34b6b6d2c0bc70eb53df9eae40cdb216a13521145ab03
  • ad3fd3eb7a3a276ec0d384afb5b75fe7d9fc047bb0dab40f9d55870d4520c1f3
  • a4a95807f1c5b200d5d94e3e811a7c4af2d0d9ca88ca4d7f9d02015574f4716f
  • 95995686b9af8b56c3fed1dadccf8b2ed5f417bb4eb8947a406a6e943cca33c6
  • 944be9bb167a2f76fe2f539d3860bbf26301830c479bc68509af46e047993c8c
  • 88f2d42bf225c930bc644f82bbd229e170d53dd1072e846e2883265a7ac33301
  • 85a4151d790ab32d5321c6e71748b2446032e1775aedd0168be25f76bf4fe93f
  • 844cc1807cc5b628b7aa807ef3b682d051c8ad5427df3d3e36c7e7633bfc5768
  • 681a00df2e2cc680a4b68bdb6fe7d55c34d6d3fc35d462c78ebb659f9cb2cd60
  • 4d35ae9669db428b72b1aaadd21dbed44ad2fc678efc8110d89ff723e0497406
  • 53d687868fd7ab9e78aa09f696923bd3c057e4e50432d07210080474a8d879cb
  • 4a932ccc8a45db6897a11de118cdbf67062569112f1caa69793669c5c24be708
  • 2f182a6cb72712c340c2adb43843cfccb5916d236485de1c62fb40c883570824
  • 2ae805b68d7408cc40ad058bc0b8b2b5c29d77760084a5230448e47cec1c43f4
  • 28aee94e9a3f6c4296663bb853a5af5817ae109f066c88b7a245316a9a1e4712
  • 2847ae693533406defecb226bfe6d62dd36905ff07add4e773426bde83e85ddc
  • 17257ce42246b8c47f9ec639a6ffaca2bc14c21a22c4419bf468e3f1d491e330
  • 104e3ea9a190ba039488f5200824fe883b98f6fe01d05a1b55e15ed2199c807a
  • 0891588667da40da58ffaa8fedcddb0a9a172646ec12e6d0b9ce2acc2caa302b
  • 86.123.151.53
  • 32.143.50.222
  • 24.88.87.29
  • 193.34.166.176
  • 185.62.58.141
  • 185.227.137.200
  • 184.75.134.59
  • 185.62.58.20
  • 172.114.170.18
  • xfgjgjkuykykgihguifdt.mywire.org
  • vrrumover0.vrrum0.farted.net
  • trompadiom.tutotame.bigbox.info
  • terminal.ooguy.com
  • speddot.seburn.net
  • puffypuf.gleeze.com
  • mumucnc.kozow.com
  • moreover.lostgumball.com
  • kjskrvmwerffssd.kozow.com
  • li4858member.possessed.us
  • gopremium.mooo.com
  • founderside.joseulloa.cl
  • enforcer.mywire.org
  • dfgtjytdfs.work.gd
  • clientrun.compuinter.com
  • changepassword.giize.com
  • underuvukent.com
  • subonuker.name
  • ultradomafy.net
  • semiridinution-postepudency.com
  • minixetepate.biz
  • promexucate.com
  • macrofocafify.org
  • interocakate.com
  • emelenalike.com
  • decumify.net
  • antihicipate.com
  • packinstall.kozow.com
Download all indicators here!

Attack Patterns

  • Ngioweb
  • SSHDoor
  • Pawn Storm