Ubiquiti AirOS wi-fi devices under worm attack

By

Self-propagating malware infects thousands of devices.

Devices from wireless equipment vendor Ubiquiti Networks running old firmware are being actively attacked by a self-propagating malware, with multiple infections reported from the United States, Brazil and Spain over the weekend.

Ubiquiti AirOS wi-fi devices under worm attack

A Ubiquiti support staffer confirmed the company's devices were currently under attack.

"There have been several reports of infected AirOS M devices over the last week. From the samples we have seen, there are 2-3 different variations," they said.

"We have confirmed at least two of these variations are using a known exploit that was reported and fixed last year."

The fix stopped unauthorised users from gaining access to devices via both the clear-text hyper text transfer protocol (HTTP) and the secured HTTPS variant. 

A Ubiquity dealer who didn't wish to be named told iTnews the current worm was dangerous for those who got hit by it.

"Unlike past malware that tried to install network proxies and set up domain name system redirection, the current worm tries to install itself across as many radios as it can, and shut them down," the dealer said.

In the Ubiquiti user forums, wireless internet service providers reported that vulnerable systems got infected easily.

"Simply having a radio on out of date firmware and having its http/https interface exposed to the internet is enough to get infected," a user wrote.

Worm attacks can be mitigated by firewalling off traffic and ensuring access points have no direct communication with each other, the dealer told iTnews.

The following Ubiquiti devices running old firmware should be upgraded as soon as feasible and HTTP and HTTPS management traffic cordoned off:

  • airMAX M
  • airMAX AC
  • ToughSwitch
  • airGateway
  • airFiber

AirOS firmware version 5.6.2 or older is vulnerable to the worm attack.

The malware scans subnets and distributes itself to other Ubiquity systems it can identify. Ubiquiti administrators are reporting mass infections from the worm.

It is possible to remove the worm manually with a script or by installing Red Hat's Ansible automation tool.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
securitywifi

Sponsored Whitepapers

What 4 wholesale distribution challenges aren’t going away anytime soon?
What 4 wholesale distribution challenges aren’t going away anytime soon?
State of the SOC: Building Resilience in a Shifting Threat Landscape
State of the SOC: Building Resilience in a Shifting Threat Landscape
Transform IT Service Delivery with Freshworks ITSM
Transform IT Service Delivery with Freshworks ITSM
Digital Transformation That Works in the Real World
Digital Transformation That Works in the Real World
Beyond the Breach: Logicalis Delivers Scalable, Business-Aligned MXDR Security
Beyond the Breach: Logicalis Delivers Scalable, Business-Aligned MXDR Security

Events

Most Read Articles

"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party
Home Affairs adds SecOps to new cyber risk overhaul

Home Affairs adds SecOps to new cyber risk overhaul
Exetel fined $694k over system 'vulnerability' for mobile number porting

Exetel fined $694k over system 'vulnerability' for mobile number porting
Attackers weaponise Linux file names as malware vectors

Attackers weaponise Linux file names as malware vectors
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?