Ubiquiti Based Wireless Broadband Networks Being Hit by Malware

Ubiquiti Networks has confirmed that some of their kit, which is used by wireless ISPs around the world (e.g. Vispa in the UK), is being attacked by a nasty piece of self-replicating malware that infects their Linux-based AirOS firmware (used on their routers, access points and other kit).

The malware exploits a vulnerability that allows hackers to gain access to the kit over the web and without authenticating. Funnily enough the hole was plugged almost a year ago (here), but apparently not everybody was made aware (example) and some network operators have since been caught napping.

Ubiquiti Networks Update

There have been several reports of infected airOS M devices over the last week. From the samples we have seen, there are 2 different payloads that use the same exploit. We have confirmed these variations are using a known exploit that was reported and fixed last year.

This is an HTTP/HTTPS exploit that doesn’t require authentication. Simply having a radio on outdated firmware and having it’s http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.

Luckily the worm in question doesn’t seem to do much except for screwing with the devices configuration a little and then self-replicating across the network, but it could so easily have been much worse. So if you’re an ISP and using any of the Ubiquiti based kit then now might be a good time to check that you’re running the most secure firmware.