Back

Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks

Aug. 7, 2024, 4:41 p.m.

Tags

espionage
botnet
cybercrime
proxy
2024-08-07
routers
ngioweb
sshdoor

External References

https://otx.alienvault.com/

Description

TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybercriminals renting out compromised routers and nation-state threat actors like Pawn Storm and Sandworm using dedicated proxy botnets. The analysis focuses on a criminal botnet of Ubiquiti EdgeRouters, disrupted by the FBI in January 2024, which Pawn Storm accessed in April 2022 for persistent espionage campaigns.

Date

Published Created Modified
Aug. 7, 2024, 4:16 p.m. Aug. 7, 2024, 4:16 p.m. Aug. 7, 2024, 4:41 p.m.

Indicators

fed8c98fc754aff95f8538b5bebce558eb274256b0265d4482a675b74e93cc93

f88d12332d2f58459f989c7c41b5381e8aed9c8c30c1d11373f0d1eb0b340b9a

f6541b569787aa050c54ad85976ac5b729697a022be188b0040d37aa91e49ae2

ef6fe4140001cb099968acd5772452859adbe7b57496389fbbf2342f9047b962

edefd297285090fe743f5c3b111bce54da40f43a32e15d8fa87b8a2c243f6d47

e3ba85e0bc978013b145ebb4c2d583b33422da93787ab8fb2185b55478652d91

dfc86b375e974b3092bbff41eb24db3281fb4fc104f1043a7afbf95f85a2c1d5

c290ab5d8ce9fcaa91da3b488c93dee1a4d0581c1335f19cb48027a5a03fe525

bd0ea597f24bb72f8db34b6b6d2c0bc70eb53df9eae40cdb216a13521145ab03

ad3fd3eb7a3a276ec0d384afb5b75fe7d9fc047bb0dab40f9d55870d4520c1f3

a4a95807f1c5b200d5d94e3e811a7c4af2d0d9ca88ca4d7f9d02015574f4716f

95995686b9af8b56c3fed1dadccf8b2ed5f417bb4eb8947a406a6e943cca33c6

944be9bb167a2f76fe2f539d3860bbf26301830c479bc68509af46e047993c8c

88f2d42bf225c930bc644f82bbd229e170d53dd1072e846e2883265a7ac33301

85a4151d790ab32d5321c6e71748b2446032e1775aedd0168be25f76bf4fe93f

844cc1807cc5b628b7aa807ef3b682d051c8ad5427df3d3e36c7e7633bfc5768

681a00df2e2cc680a4b68bdb6fe7d55c34d6d3fc35d462c78ebb659f9cb2cd60

4d35ae9669db428b72b1aaadd21dbed44ad2fc678efc8110d89ff723e0497406

53d687868fd7ab9e78aa09f696923bd3c057e4e50432d07210080474a8d879cb

4a932ccc8a45db6897a11de118cdbf67062569112f1caa69793669c5c24be708

2f182a6cb72712c340c2adb43843cfccb5916d236485de1c62fb40c883570824

2ae805b68d7408cc40ad058bc0b8b2b5c29d77760084a5230448e47cec1c43f4

28aee94e9a3f6c4296663bb853a5af5817ae109f066c88b7a245316a9a1e4712

2847ae693533406defecb226bfe6d62dd36905ff07add4e773426bde83e85ddc

17257ce42246b8c47f9ec639a6ffaca2bc14c21a22c4419bf468e3f1d491e330

104e3ea9a190ba039488f5200824fe883b98f6fe01d05a1b55e15ed2199c807a

0891588667da40da58ffaa8fedcddb0a9a172646ec12e6d0b9ce2acc2caa302b

86.123.151.53

32.143.50.222

24.88.87.29

193.34.166.176

185.62.58.141

185.227.137.200

184.75.134.59

185.62.58.20

172.114.170.18

Attack Patterns

Ngioweb

SSHDoor

Pawn Storm

T1609

T1568

T1211

T1588

T1556

T1091

T1583

T1567

T1189

T1598

T1071

T1219

T1592

T1190

T1090