Security Advisory Last Updated: 10:00PM ET, March 2nd, 2024

Who: This critical security advisory applies to any MSPs or Organizations currently utilizing Ubiquti EdgeRouters in production or test environments.

What: The Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners have released a joint Cybersecurity Advisory (CSA) warning MSPs and Organizations alike of state-sponsored cyber actor use of compromised Ubiquiti EdgeRouters to facilitate malicious cyber operations worldwide. Please note, this is not a vulnerability alert, this is an advisory that malicious activity has been documented and confirmed to be actively taking place across a wide fleet of Ubiquiti EdgeRouters, and thus merits utmost expedited response.

Impact: According to threat research conducted by The FBI, NSA, US Cyber Command, and international partners – including authorities from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom, Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium), have used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools.

Recommended Actions towards Mitigation:

1) Performing a hardware factory reset on any Ubiquti EdgeRouters

2) Upgrading all Ubiquiti EdgeRouters to the latest firmware version

3) Changing any default usernames and passwords

4) Implementing strategic firewall rules on WAN-side interfaces belonging to EdgeRouters.

Why: BLOKWORX is urgently distributing this critical cybersecurity advisory, considering the significant adoption rate of Ubiquiti hardware for securing the network edge in numerous organizations.

Source: The Joint Cybersecurity Advisory published February 27th, 2024 can be found and reviewed in its entirety here.