Ubiquity Malware

Markverhyden · May 17, 2016

This just popped up in my inbox. Make sure you are up to date. Linky for removal tool http://www.ubnt.com/downloads/XN-fw...460809&goal=0_1c1b02cb37-d674aca0a1-238460809

Screen Shot 2016-05-16 at 8.32.54 PM.png

Screen Shot 2016-05-16 at 8.36.08 PM.png

Slaters Kustum Machines · May 17, 2016

There was a post on the UBNT forums where a user wanted Ubiquiti to pay for all their time to fix this issue on their endpoints because this wasn't in any of the release notes. Some other user went off on them and stated that this vulnerability is about a year old and it's not Ubiquiti's fault that you aren't keeping your endpoints patched with security updates. I got a kick out of that. That's like running Windows XP and blaming MS for getting infected. Also, the release notes did note that this issue was, in fact a problem long before now. I'll see if I can find the thread.

https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940

Markverhyden · May 17, 2016

LOL!!! Thanks. If it's a year or more old I'd bet they've been hearing from some lawyers then. In the case of updates for devices like this I'm always on top of them. Unlike OS updates, where there are surprises everywhere, updating these things are very solid. Hope you find the thread, sounds like it will be a good read.

fencepost · May 17, 2016

I don't really know the Ubiquiti product lines, but are any of these products designed to be exposed to the world (e.g. routers or other edge devices) or are they mostly supposed to be internal equipment?

fencepost · May 17, 2016

Markverhyden said:
If it's a year or more old I'd bet they've been hearing from some lawyers then.

It's not so much that the vulnerability is a year old as that it was patched in a security update released in July, 2015 after it was reported privately to them via their bug bounty program. They even backported the fix to an earlier version of the firmware (5.5.11 vs 5.6.2) because some people weren't ready to jump from 5.5 to 5.6.

Slaters Kustum Machines · May 17, 2016

Here's another good post from that thread:

TCC wrote:
After having spent a half $1 million over the last many years with ubiquiti and what do I get when I need some assistance?some joker on the chat line that says sorry we can't help you please refer to this link! WTF ubiquiti you should be ashamed of yourselves for putting us in this position. I'll be sending you a bill. It will be for thousands of dollars spent resolving this ridiculous event.

No one cares how much you spent with Ubiquiti. Someone else spent more.
It's not like you weren't made aware of the potential problem plenty inadvance.
Clean up after your network management mistakes and learn for next time.

Slaters Kustum Machines · May 17, 2016

fencepost said:
It's not so much that the vulnerability is a year old as that it was patched in a security update released in July, 2015 after it was reported privately to them via their bug bounty program. They even backported the fix to an earlier version of the firmware (5.5.11 vs 5.6.2) because some people weren't ready to jump from 5.5 to 5.6.

Yeah, I meant to say this was fixed about a year ago and just because you didn't apply the security updates does not make this Ubiquiti's fault. You know the "lack of planning on your part doesn't make an emergency on mine" type of deal.

Matthew Bradley · May 17, 2016

Who is deploying these with their http/https interfaces exposed to the internet? You probably deserve to be infected. In my dealings with Ubiquiti "installers" over the years, I can guarantee not a one of them would know what NAT was if it slapped them in the face. Simply, while this is alarming from a technical stand-point, I find it hard to believe many of these devices are left exposed.

YeOldeStonecat · May 17, 2016

Yeah I saw that notification from Ubiquiti, read the details...and chuckled. As stated several times above.."Who puts their wireless APs on public IPs exposed to the internet? Or forwards 443 to them?"

It's sad that the lawyers forced them to release that notice, when it's standard network best practice to keep public facing devices updated to help mitigate exploits.
Just like with EVERY OTHER BRAND of network equipment.

Markverhyden · May 17, 2016

I know they would not be the same people who would stick a fresh, hot paper/styrofoam cup of coffee between their legs while driving around in their car.....

BlackLabTechs · May 17, 2016

Oh great, now we're going to see "DO NOT LEAVE OPEN TO INTERNET" stickers on all our UBNT gear.

YeOldeStonecat · May 17, 2016

So I can't plug my Windows XP service pack 1 computer right into a cable modem that is bridged (no NAT)?

BlackLabTechs · May 17, 2016

YeOldeStonecat said:
So I can't plug my Windows XP service pack 1 computer right into a cable modem that is bridged (no NAT)?

As long as you are on the latest patch of Java 1.4.2 I don't see any problems.

YeOldeStonecat · May 17, 2016

BlackLabTechs said:
As long as you are on the latest patch of Java 1.4.2 I don't see any problems.

Should I leave my C$ fully shared?

YeOldeStonecat · May 17, 2016

That does remind me of cruel jokes done at LAN parties.....going back to the Win9X days...it was common for some peeps to do a full share of their entire C drive. And unfortunately that bad practice continued in the Win2K and XP days.

oh boy...bad stuff happened.... ;7

Ubiquity Malware

Markverhyden

Well-Known Member

Slaters Kustum Machines

Well-Known Member

Markverhyden

Well-Known Member

fencepost

Well-Known Member

fencepost

Well-Known Member

Slaters Kustum Machines

Well-Known Member

Slaters Kustum Machines

Well-Known Member

Matthew Bradley

Active Member

YeOldeStonecat

Well-Known Member

Markverhyden

Well-Known Member

BlackLabTechs

Well-Known Member

YeOldeStonecat

Well-Known Member

BlackLabTechs

Well-Known Member

YeOldeStonecat

Well-Known Member

YeOldeStonecat

Well-Known Member

Similar threads