An insidious worm is infecting routers and other wireless devices made by Ubiquiti Networks across the world. ISPs worldwide reported the malware-based attacks, the threat can take complete control of the wireless networking equipment by exploiting a year-old remote unauthorized access vulnerability.
The flaw exploited by attackers was reported to Ubiquiti last year through a bug bounty program
The presence of a large number of infected Ubiquiti devices is caused by the fact that the majority of them do not implements an auto update mechanism and unfortunately users are not aware of the importance of keeping them upgraded.
The worm allows attackers to establish a backdoor in the infected devices and to abuse their resources to scan the network searching for other systems to compromise.
“There have been several reports of infected airOS M devices over the last week. From the samples we have seen, there are 2 different payloads that uses the same exploit. We have confirmed these variations are using a known exploit that was reported and fixed last year.” states an advisory issued by Ubiquiti.
“This is an HTTP/HTTPS exploit that doesn’t require authentication. Simply having a radio on outdated firmware and having it’s http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.”
The reports of infected devices are related to equipment belonging to the airMAX M Series, but experts explain that also AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber devices not patched are vulnerable to the worm.
The company recommends updating to 5.6.5 unless using legitimate rc. scripts. Users that need the rc.scripts should run 5.6.4 for the time being.
In any case, the presence of firewall to regulate the remote access to the management interface represents an efficient measure to mitigate the risks.
Experts from Symantec noticed that after the worm set up a backdoor, it adds a firewall rule in order to block administrators from accessing the management interface. The malware obtain the persistence by copying itself to the rc.poststart script.
“So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers.” Reads a blog post published by Symantec. “It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation. Either way, this campaign potentially grants the attackers access to a large amount of routers, putting their targets’ infrastructure at risk.”
Users should use a Java application (running on Windows, Linux and MAC OS X) developed by the experts at Ubiquiti Networks to remove the worm from infected devices.
Despite the attackers haven’t exploited the botnet to attack other network infrastructures, the control of a so large number of devices represents a serious risk for any infrastructure exposed on the internet that could be targeted by threat actors.
Last yeat, security experts spotted a malware based campaign leveraging on the Linux.Wifatch that compromised a large number of SOHO and Internet of Things (IoT) devices running outdated firmware or protected with weak passwords.
A proper security posture is essential to prevent these attacks, keeo your device update and protect any system exposed on the Internet with a multi-player approach.
If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.
(Security Affairs – Ubiquiti Networks, worm)