Thousands of routers across the world developed by US-based Ubiquiti networks have been compromised by a targeted worm attack. An old bug in the firmware that runs the company’s networking devices, airOS is been exploited in these attacks.
“From the samples we have seen, there are 2 different payloads that use the same exploit. We have confirmed these variations are using a known exploit that was reported and fixed last year,” Ubiquiti noted.
“This is an HTTP/HTTPS exploit that doesn’t require authentication. Simply having a radio on outdated firmware and having it’s http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.”
According to reports from Symantec researchers, once the bug is exploited, the worm duplicates itself and creates a backdoor account with user name: mother and password: fucker. It then adds iptables rules to block administrators from reaching the device over HTTP/HTTPS and then duplicates itself across routers within the same subnet and on other networks.
“So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers,” the researchers noted.
Ubiquiti has provided a list of devices/firmware versions that are safe from the exploit, and has advised users of others to update their firmware.
They have also provided a removal tool for the worm, which also has the option to upgrade firmware to the latest version (5.6.5).