Hacking

A dangerous Worm is infected outdated Ubiquiti Devices worldwide

A worm is infecting routers and other wireless devices across the world made by the Ubiquiti Networks company.

An insidious worm is infecting routers and other wireless devices made by Ubiquiti Networks across the world. ISPs worldwide reported the malware-based attacks, the threat can take complete control of the wireless networking equipment by exploiting a year-old remote unauthorized access vulnerability.

The flaw exploited by attackers was reported to Ubiquiti last year through a bug bounty program

The presence of a large number of infected Ubiquiti devices is caused by the fact that the majority of them do not implements an auto update mechanism and unfortunately users are not aware of the importance of keeping them upgraded.

The worm allows attackers to establish a backdoor in the infected devices and to abuse their resources to scan the network searching for other systems to compromise.

“There have been several reports of infected airOS M devices over the last week.  From the samples we have seen, there are 2 different payloads that uses the same exploit.  We have confirmed these variations are using a known exploit that was reported and fixed last year.” states an advisory issued by Ubiquiti.

“This is an HTTP/HTTPS exploit that doesn’t require authentication.  Simply having a radio on outdated firmware and having it’s http/https interface exposed to the Internet is enough to get infected.  We are also recommending restricting all access to management interfaces via firewall filtering.”

The reports of infected devices are related to equipment belonging to the airMAX M Series, but experts explain that also AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber devices not patched are vulnerable to the worm.

The company recommends updating to 5.6.5 unless using legitimate rc. scripts.  Users that need the rc.scripts should run 5.6.4 for the time being.

In any case, the presence of firewall to regulate the remote access to the management interface represents an efficient measure to mitigate the risks.

Experts from Symantec noticed that after the worm set up a backdoor, it adds a firewall rule in order to block administrators from accessing the management interface. The malware obtain the persistence by copying itself to the rc.poststart script.

“So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers.” Reads a blog post published by Symantec. “It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation. Either way, this campaign potentially grants the attackers access to a large amount of routers, putting their targets’ infrastructure at risk.”

Users should use a Java application (running on Windows, Linux and MAC OS X) developed by the experts at Ubiquiti Networks to remove the worm from infected devices.

Despite the attackers haven’t exploited the botnet to attack other network infrastructures, the control of a so large number of devices represents a serious risk for any infrastructure exposed on the internet that could be targeted by threat actors.

Last yeat, security experts spotted a malware based campaign leveraging on the Linux.Wifatch that compromised a large number of SOHO and Internet of Things (IoT) devices running outdated firmware or protected with weak passwords.

A proper security posture is essential to prevent these attacks, keeo your device update and protect any system exposed on the Internet with a multi-player approach.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Ubiquiti Networks, worm)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

1 hour ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.