Ubiquiti routers hit by backdoor-generating worm

A worm targeting wireless network equipment developed by US-based Ubiquiti Networks has already managed to compromise thousands of routers across the world.

To spread it, whoever is behind these attacks is exploiting an old bug in airOS, the firmware that runs on the company’s networking devices.

“From the samples we have seen, there are 2 different payloads that use the same exploit. We have confirmed these variations are using a known exploit that was reported and fixed last year,” Ubiquiti noted.

“This is an HTTP/HTTPS exploit that doesn’t require authentication. Simply having a radio on outdated firmware and having it’s http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.”

According to Symantec researchers, once it leverages the exploit, the worm copies itself on the device and creates a backdoor account with the following username/password combination: mother/fucker.

It then adds iptables rules to block administrators from accessing the device through a web interface over HTTP/HTTPS, copies itself once again to achieve persistence despite router restarts, downloads a precompiled version of cURL, with the help of which it will spread to other routers within the same subnet and on other networks.

Once a new device is compromised, the entire sequence is repeated.

“So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers,” the researchers noted.

“It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation. Either way, this campaign potentially grants the attackers access to a large amount of routers, putting their targets’ infrastructure at risk.”

During the same period, Symantec’s honeypot routers have repeatedly been hit with access attempts using default Ubiquiti credentials, but it’s unknown if these attacks are connected.

Ubiquiti has provided a list of devices/firmware versions that are safe from the exploit, and has advised users of others to update their firmware.

They have also provided a removal tool for the worm, which also has the option to upgrade firmware to the latest version (5.6.5).