A worm is reportedly spreading across thousands of Ubiquiti Networks routers running outdated firmware. In a security advisory, a Ubiquiti spokesperson said that over the past week, the worm has been using a known exploit to infect airOS M devices. The worm creates its own account on the compromised device and, from there, conducts mass infections of other routers both within the same subnet and on other networks.
The attacks affect the following Ubiquiti devices running outdated firmware:
- airMAX M
- airMAX AC
- airOS 802.11G
Any router that runs older versions of the firmware and has its HTTP/HTTPS interface exposed to the Internet could be infected. Ubiquiti released a patch for this vulnerability almost a year ago. However, as is often the case on these devices, many routers may still have old firmware installed.
During our analysis, we also found that Ubiquiti routers are being targeted with attempted logins in separate attacks. In these cases, the attackers are using default Ubiquiti credentials to try and gain access to the device.
How the worm attack works
For this campaign, the worm first infects one router and uses that to compromise other routers both within and outside of its network.
- The worm attempts to connect to a router though either the HTTP or HTTPS protocol. It uses an exploit for a known firmware vulnerability affecting login.cgi to upload files to arbitrary locations on the router.
- By exploiting this vulnerability, the worm can remotely copy itself to the router and create a back door account with the user name “mother” and the password “f u c k e r”.
- The threat adds iptables rules to block administrators from accessing the device through a web interface over HTTP/HTTPS.
- The worm copies itself to rc.poststart so that it remains on the router every time it restarts.
- The threat downloads a precompiled version of cURL to carry out its attack. cURL is a legitimate, open-source command line tool and library that allows users to transfer data using various network protocols, such as HTTP and HTTPS.
- After this activity, the worm begins to spread to other routers. It takes the IP address of the router it has already infected and uses this as the basis to generate new IP addresses. If the worm finds devices on these IP addresses, it uses the same arbitrary file-writing exploit to compromise them too.
- Once it arrives on other routers, the worm repeats the previous steps on the newly infected devices.
While investigating this threat, we identified attempts to log into our honeypot routers over Secure Shell (SSH) using the default Ubiquiti credentials (user name: ubnt and password: ubnt). Data from our honeypots shows that these credentials are among the top five that attackers use to try and break into routers.
What the attackers want
So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers. It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation. Either way, this campaign potentially grants the attackers access to a large amount of routers, putting their targets’ infrastructure at risk.
This isn’t the first time we’ve seen worms spreading across routers. Last year we observed Linux.Wifatch infecting routers and Internet of Things (IoT) devices that had outdated firmware or weak passwords. Ubiquiti routers were among the devices targeted in the Wifatch campaign.
The success of this attack demonstrates one of the challenges in IoT security which is ensuring that devices are running the latest firmware and updates. Despite the fact that the vulnerability had been patched in the past year, the worm was still able to successfully exploit it to infect thousands of routers.
Ubiquiti released a security update, highlighting that it patched the affected vulnerability in version 5.6.2 of its firmware. The company also released version 5.6.5, which removes the known payloads and disables airOS devices' ability to use custom persistent scripts. Ubiquiti advises users to update their firmware and restrict access to management interfaces through firewall filtering.
Symantec recommends the following steps to stop these kinds of attacks from working:
- Keep your routers’ software and firmware up to date to prevent attackers from exploiting known vulnerabilities
- Change any default passwords that may be in use