Russian military botnet discovered on 1000+ compromised routers — FBI deactivated Moobot by taking control of impacted routers

Router
(Image credit: Shutterstock)

GRU-funded hacking team Fancy Bear has been caught installing Moobot malware on "well over a thousand" unsecured home and business routers using the default admin password as the infection vector, says FBI Director Christopher Wray [h/t The Register]. 

Moobot was used to create a functional botnet of compromised routers that the GRU and Fancy Bear were using for undisclosed reasons, but the scale of the security breach isn't promising. The FBI acted to isolate and remove the malware from all infected units. The issue stems from a lack of cybersecurity basics (change the admin password unless you want someone else to change it for you) taught to the public. So, it's not quite like a hardware vulnerability that can't be fixed without revision.

As simple as the root of the issue was (unsecured default admin passwords), the extent of the Moobot malware infection required some pretty big technical steps from the FBI to remove it as a threat. First, they leveraged Moobot's functionality to copy and delete all malicious files, including itself, from the impacted routers. Then, they firewalled all the routers to prevent remote management access (and thus further hijacking) before scrubbing the router's data and inspecting the equipment.

Following the removal of the Moobot malware, the Feds returned the hardware to its original owners, albeit with their settings changes still applied. Users can reset the devices, but the Justice Department warned that "a factory reset that is not also accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises." 

In today's era of international cyber attacks and data heists, it's prudent to change the default passwords on your network devices as soon as possible and to safely maintain and change your existing passwords as necessary. It's also a good idea to ensure that your router is running on current firmware that contains the latest security and performance updates. No one wants to unknowingly lose computational, network, or even financial resources to some foreign government, cybercriminal, or creepy neighbor if they can avoid it.

  • digitalgriffin
    I'm semi okay with our government disabling IPs with infected devices through the ISP, with cause and reason (ie: national security). I would go even further to say ISPs must issue security scans (basic pen testing) of their customers and keep the records for national security interest in an anonymous report by using salted hashes of modem MACs (Just the vulnerabilities).

    99% of people don't update firmware. But if their IP was disabled, because of being infected, I bet they would change soon enough.

    But this could also be an excuse by government to shut down public communications they disagree with. (For example criticizing the government). Other foreign entities already censor speech through electronic means.
    Reply
  • TechLurker
    All the more reason why I appreciate that router/switch companies were forced to go with random passwords for each device sold, reducing issues like this.
    Reply
  • BillyBuerger
    Was it also the default setting on these routers to allow admin/management of the router through the external connection? That stuff should always require an internal connection. These things sound like they were designed to be hacked.
    Reply
  • JTWrenn
    BillyBuerger said:
    Was it also the default setting on these routers to allow admin/management of the router through the external connection? That stuff should always require an internal connection. These things sound like they were designed to be hacked.
    I think it was done through other means but am not sure. ie malware on a system that is used to infect a router. The malware gets detected and killed but it lives on in the router.
    Reply
  • digitalgriffin
    BillyBuerger said:
    Was it also the default setting on these routers to allow admin/management of the router through the external connection? That stuff should always require an internal connection. These things sound like they were designed to be hacked.
    There are certain services which, even if off, can be accessed through the web. There was a hack about 8 years back that did this. Once they compromise the machine they can upload a custom firmware making it difficult to fix.
    Reply
  • Vanderlindemedia
    You will be suprised how many units or devices are set to standard Web interface with a default admin/admin combo. I mean just google "Name router + model number default user pass" and you'll get a ton of devices. Would be quite easy to port scan a large subnet, extract the responding IP's and ports and start hacking your way in.
    Reply
  • SirDave82
    A couple of months ago I spotted a Russian ip scanning my network after I built a PFSense firewall from an old PC. I blocked it of course, and remote management was already disabled. I reported it to Spectrum internet and they were baffled how I knew it was Russian. It's shameful that some geek in South Texas with a free firewall spotted this before the feds. I'm surrounded by morons!
    Reply
  • USAFRet
    SirDave82 said:
    A couple of months ago I spotted a Russian ip scanning my network after I built a PFSense firewall from an old PC. I blocked it of course, and remote management was already disabled. I reported it to Spectrum internet and they were baffled how I knew it was Russian. It's shameful that some geek in South Texas with a free firewall spotted this before the feds. I'm surrounded by morons!
    Absolutely not unusual.

    Several years ago, when my QNAP NAS was new, it was sort of opened to the outside world.
    DEfaults turned off, blah blah.

    But it was getting access hits from everywhere.
    Russia, Switzerland, Ohio, Portugal, China, etc etc.
    Every day, sometimes dozens per day.

    The IP may have been Russia, but the entity controlling the botnet could have been anywhere.
    Reply
  • Vanderlindemedia
    Lol...

    I run 15 webservers. I can pretty much say that 40% of all combined traffic is foreign, infested botnets scanning for the obvious exploits. Esp when you have or run wordpress sites.

    The majority of "infected" ip's belong to a botnet, controlled by a larger master.
    Reply