Ubiquiti Networks devices targeted by firmware worm
An exploit which can lead to completely hijacked network devices is being used in fresh campaigns against Ubiquiti Networks.
In a post on the Ubiquiti community forum, the company said it had received several reports of infected airOS M devices over the past week.
There are two exploits being launched against the firmware, however, the problems have arisen as some firmware on network devices is outdated.
The vulnerability is known and was patched in 2015.
The security flaw is a HTTP/HTTPS exploit which does not require authentication.
Ubiquiti says that vulnerable software has the web interface exposed, and so simply having a radio on outdated firmware is enough to become infected, leading to root and administrative control of the device.
Ubiquiti has provided a removal tool (.jar), to eradicate the infection from compromised devices which have already been infected with the malware.
The company's clients include the military, universities and players in hospitality. Should the worms continue to spread, this could cause chaos for businesses that may have to cope with network destruction, data theft and spying.
However, as noted by ThreatPost, one of the worms is a very peculiar infection. Rather than being used for malicious attacks centered on financial or data gains for the cyberattacker responsible, the worm does nothing more than stripping the hardware of pre-existing settings and reverts devices back to factory settings.
In addition, the worm makes its presence known by changing usernames and passwords on infected devices to profane variations.
Users of Ubiquiti devices should update their firmware to the latest version of airOS software, 5.6.5, which not only patches the problem but comes with additional security fixes and updates.
However, devices running airMAX M (Including airRouter) 5.5.11 XM/TI, 5.5.10u2 XM or 5.6.2+ XM/XW/TI, AirMAX AC 7.13 and above, ToughSwitch 1.3.2, airGateway 1.1.5+ and airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, AF5 2.2.1 and above are okay -- at least, for now.
Any versions of the firmware prior to these versions should be considered insecure.
If you are running legitimate rc.scripts on your hardware, Ubiquiti asks that you hold on and continue running 5.6.4 for the time being until the next firmware update which can support this feature without conflict is released.
Matt Hardy, head of security for Ubiquiti told the publication:
"It's a harmful worm, but it could be worse. It infects the device. It overrides the password file and then blocks ports on the device and tries to infect other machines.
Then the worm just changes the settings back to default -- requiring IT administrators to reconfigure every infected machine."