Ubiquiti Networks

2024: Hackers have installed malware on routers around the world and created a global cyber espionage platform

On February 15, 2024, it became known that German law enforcement agencies, together with American special services, liquidated a cyber espionage network operating on a global scale. The botnet combined private and corporate routers around the world.

According to Der Spiegel magazine, the cyber group Fancy Bear, also known as APT28, Sofacy, Pawn storm, Sednit and Strontium, is behind the organization of the spy network. It has been in effect since at least 2004. US intelligence agencies claim Fancy Bear is allegedly linked to Russian hackers. The group carries out attacks on state, information, military and other structures. In Germany, Fancy Bear became known to the general public in 2015 thanks to the organization of the attack on the Bundestag.

Unsplash

According to the FBI, during the spy campaign, Fancy Bear members attacked routers that used the default administrator passwords. Then malicious software was downloaded to such devices. It is alleged that the targets of espionage activities were governments, military, law enforcement agencies and corporations of the United States and other countries.

The Ministry of Justice of the SCA states that the Moobot malware was used to infect routers. The target was Ubiquiti network devices running Edge OS. During the operation, German and American law enforcement agencies blocked the possibility of remote interaction with infected routers. As a result, the Fancy Bear group lost control of the spy botnet.

The FBI's close partnership with the private sector was critical to identifying and addressing this threat, which affected our national security interests in the FBI States and abroad, the agency said.[1]

2017: Ubiquiti punished for neglecting to protect devices

SEC Consult has published information about serious vulnerabilities in more than forty developments of network equipment manufacturer Ubiquiti Networks. The vulnerability was discovered back in November last year as part of the HackerOne program.

The manufacturer was immediately informed of the identified error, but a lot of time passed before the release of patches began. To date, the errors have not been fixed in all Ubiquiti developments, however, SEC Consult considered it possible to disclose their information, since the vendor reacted too long and sluggishly to the requests of the researchers.^[2]

Ubiquiti Networks Office

SEC Consult experts have identified in the administrative interface of several Ubiquiti devices the possibility of injecting commands in the administrative interface. According to the description, it is enough for an attacker to lure a user to a specially prepared website or force him to somehow click on a malicious link; the entire attack can be carried out using a single GET request, and since no protection against cross-site spoofing of the request is implemented, it is extremely easy to carry out such an attack.

An attacker can also use port binding or reverse shell to connect to the device, and since the web service of the software shell works with root privileges, it is possible to change the password for accessing the device. Users with low privileges created in the web interface of the software shell can also perform an attack.

If the Ubiquiti device functions as a router or firewall, an attacker with one such attack can gain control over the entire local network. The source of the problem is an ancient script still used in the firmware of Ubiquiti devices - a pingtest_action.cgi written in PHP/FI 2.0.1 from 1997.

This video demonstrates the practical possibility of conducting an attack:^[3]

The vulnerability is present in the firmware of the following devices:

• TS-8-PRO - v1.3.3 (SW)
• (Rocket) M5 - v5.6.9/v6.0 (XM)
• (PicoStationM2HP) PICOM2HP - v5.6.9/v6.0 (XM)
• (NanoStationM5) NSM5 - v5.6.9/v6.0 (XM)

Based on the data available to SEC Consult, experts indicate that four dozen more devices from the same manufacturer are most likely susceptible to the identified vulnerability. The flaw was identified as part of the HackerOne vulnerability search program last November.

On November 22, Ubiquiti was notified of the discovered vulnerability. In response, the vendor said that this is a duplicate of an already known vulnerability, although later it turned out that this was not true. The vendor promised to fix the vulnerability "in the next stable release" of device firmware.

In January, SEC Consult researchers tried to find out the status of the fixes. Ubiquiti said that they already have a similar message about an existing error, and that the experimental exploit provided by SEC Consult "does not work."

They were explained how this exploit can and should work, in response, Ubiquiti again stated that, they say, they had previously received a message about a similar error and that the experimental exploit does not work and does not make any sense. " Only after Ubiquiti sent a video that showed in full detail how an attack could be carried out, did the vendor admit that the exploit was indeed working, and that the problem identified by SEC Consult was not a duplicate. Fixes were promised in the near future, but after that Ubiquiti stopped responding to requests from SEC Consult representatives, and there was no reaction to even a message about the planned publication of information about the vulnerability.

On March 16, publication took place. On March 21, Ubiquiti hastily released some of the fixes. Ubiquiti representatives on Reddit acknowledged there were problems with internal communications and processing information from HackerOne and promised to fix the situation as soon as possible.^[4]

Notes