Many Ubiquiti AirOS Routers Are On Under Worm Attack

Many Ubiquiti AirOS Routers Are On Under Worm Attack.

According to an “urgent” warning posted by the company on a user forum  that a worm which made its way into Ubiquiti Networks equipment via the outdated AirOS firmware that has caused havoc on ISPs as well as any others in the U.S. Brazil, Argentina and Spain which use the networking platform of Ubiquiti.

The company wrote that “From the samples we have seen there are 2 different payloads that use [sic] the same exploit. We have confirmed these variations are using a known exploit that was reported and fixed last year.”

According to Symantac,

How the worm attack works
For this campaign, the worm first infects one router and uses that to compromise other routers both within and outside of its network.

1. The worm attempts to connect to a router though either the HTTP or HTTPS protocol. It uses an exploit for a known firmware vulnerability affecting login.cgi to upload files to arbitrary locations on the router.
2. By exploiting this vulnerability, the worm can remotely copy itself to the router and create a back door account with the user name “mother” and the password “f u c k e r”.
3. The threat adds iptables rules to block administrators from accessing the device through a web interface over HTTP/HTTPS.
4. The worm copies itself to rc.poststart so that it remains on the router every time it restarts.
5. The threat downloads a precompiled version of cURL to carry out its attack. cURL is a legitimate, open-source command line tool and library that allows users to transfer data using various network protocols, such as HTTP and HTTPS.

After this activity, the worm begins to spread to other routers. It takes the IP address of the router it has already infected and uses this as the basis to generate new IP addresses. If the worm finds devices on these IP addresses, it uses the same arbitrary file-writing exploit to compromise them too.
Once it arrives on other routers, the worm repeats the previous steps on the newly infected devices.

The Http/https develops does not need any type of authentication that’s why the devices can be affected easily if a radio is on outdated firmware, as well as its Http/https interface, is uncovered to the internet. Whereas the company urged “restricting all access to management interfaces via firewall filtering.The warning also recommended “updating to 5.6.5 unless using legitimate. Scripts in which case 5.6.4 should be run “for the time being.”

And on the launching of 5.6.5 disables that custom on script usage as well as it allows the Syslog by default and then it offers the security updates for malware scripts check as well as removal.

Travis Smith who is the senior security research engineer at Tripwire said in emailed comments that “Enterprises have a well-established relationship with their vendors and are generally alerted quickly of updates to the products used in their environment. On the consumer side, that relationship is generally non-existent.  Few consumer products are built to install updates automatically Unless the end-user registered their product when it was purchased, the vendor doesn't have a clear path to alert the user of known vulnerabilities. Out of sight, out of mind.”

And also Smith added that the consumers do not critically “bother going back to check for updates. Even when vendors are responsible and provide updates quickly, the consumer also has the responsibility to make sure we install the updates when available.”