ISP equipment maker Ubiquiti Networks is fending off a stubborn worm targeting its networking equipment running outdated AirOS firmware. According to security experts, the worm is already being blamed for crippling networking gear in the Argentina, Brazil, Spain and the United States.
Ubiquiti confirmed the infection via a user forum, notifying customers that there are two to three different variants of the worm. The company said the worm is exploiting a known vulnerabilities in the AirOS firmware (5.6.2 or older) that was patched early last year. It is urging customers that haven’t already, to update their firmware.
“The problem is, nobody patched their systems,” said Nico Waisman, vice president of security company Immunity. Waisman has been tracking this worm from its first reported attack on Sunday. He said the worm is quickly wending its way to infect companies that rely on Ubiquiti’s networking platform that include ISPs, hotels, universities, and military customers.
“It’s infecting a lot of machines,” Waisman said. “There are a considerable amount of desperate people having to reconfigure dozens and dozens of devices.”
The worm is peculiar for a number of different reasons. For starters, impacted Ubiquiti hardware is not left unusable. Rather, in most cases the worm simply strips hardware of any preexisting configuration settings and reverts it to its factory default condition.
Targeted hardware includes airMAX M, airMAX AC, ToughSwitch, airGateway and airFiber.
The worm also has a profane name and removes the username and password on infected systems and replaces it with its own profane username.
According to Matt Hardy, head of security for Ubiquiti, the worm only impacts poorly configured networks that are using hardware that has not been updated. He said, Ubiquiti released the patch “quietly” in 2015 for a vulnerability that was found through the company’s bug bounty program.
Hardy told Threatpost that on Sunday when Ubiquiti learned attackers released a worm that took advantage of the old vulnerability it created a removal tool. Since Sunday, Hardy said, he is aware of only a handful of companies impacted by the worm.
“This is a vulnerability we were aware of and we fixed. Now, a year later, we are learning that it is being exploited for the first time,” Hardy said. “After learning of the worm’s existence, Ubiquiti has rushed a worm extraction tool for infected hardware.” Hardy claims the worm has had a minimal impact on Ubiquiti’s customer base.
“It’s a harmful worm, but it could be worse,” Waisman said. “It infects the device. It overrides the password file and then blocks ports on the device and tries to infect other machines. Then the worm just changes the settings back to default – requiring IT administrators to reconfigure every infected machine.” Then the worm just vanishes, he said.
