• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • A dangerous Worm is infected outdated Ubiquiti Devices worldwide

A dangerous Worm is infected outdated Ubiquiti Devices worldwide

Pierluigi Paganini May 22, 2016

A worm is infecting routers and other wireless devices across the world made by the Ubiquiti Networks company.

An insidious worm is infecting routers and other wireless devices made by Ubiquiti Networks across the world. ISPs worldwide reported the malware-based attacks, the threat can take complete control of the wireless networking equipment by exploiting a year-old remote unauthorized access vulnerability.

The flaw exploited by attackers was reported to Ubiquiti last year through a bug bounty program

The presence of a large number of infected Ubiquiti devices is caused by the fact that the majority of them do not implements an auto update mechanism and unfortunately users are not aware of the importance of keeping them upgraded.

The worm allows attackers to establish a backdoor in the infected devices and to abuse their resources to scan the network searching for other systems to compromise.

“There have been several reports of infected airOS M devices over the last week.  From the samples we have seen, there are 2 different payloads that uses the same exploit.  We have confirmed these variations are using a known exploit that was reported and fixed last year.” states an advisory issued by Ubiquiti.

“This is an HTTP/HTTPS exploit that doesn’t require authentication.  Simply having a radio on outdated firmware and having it’s http/https interface exposed to the Internet is enough to get infected.  We are also recommending restricting all access to management interfaces via firewall filtering.”

The reports of infected devices are related to equipment belonging to the airMAX M Series, but experts explain that also AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber devices not patched are vulnerable to the worm.

Ubiquiti Networks aitMax

The company recommends updating to 5.6.5 unless using legitimate rc. scripts.  Users that need the rc.scripts should run 5.6.4 for the time being.

In any case, the presence of firewall to regulate the remote access to the management interface represents an efficient measure to mitigate the risks.

Experts from Symantec noticed that after the worm set up a backdoor, it adds a firewall rule in order to block administrators from accessing the management interface. The malware obtain the persistence by copying itself to the rc.poststart script.

“So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers.” Reads a blog post published by Symantec. “It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation. Either way, this campaign potentially grants the attackers access to a large amount of routers, putting their targets’ infrastructure at risk.”

Users should use a Java application (running on Windows, Linux and MAC OS X) developed by the experts at Ubiquiti Networks to remove the worm from infected devices.

Despite the attackers haven’t exploited the botnet to attack other network infrastructures, the control of a so large number of devices represents a serious risk for any infrastructure exposed on the internet that could be targeted by threat actors.

Last yeat, security experts spotted a malware based campaign leveraging on the Linux.Wifatch that compromised a large number of SOHO and Internet of Things (IoT) devices running outdated firmware or protected with weak passwords.

A proper security posture is essential to prevent these attacks, keeo your device update and protect any system exposed on the Internet with a multi-player approach.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Ubiquiti Networks, worm)


facebook linkedin twitter

Cybersecurity Hacking IoT Pierluigi Paganini routers Security Affairs Ubiquiti Devices worm

you might also like

Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more
Pierluigi Paganini July 10, 2025
PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    Nippon Steel Solutions suffered a data breach following a zero-day attack

    Data Breach / July 09, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT