You may have seen some headlines over the past three weeks regarding Ubiquiti routers. Talk of “botnets” and the Department of Justice dismantling Russian malware is pretty splashy. Reading only the headlines, however, won’t give you a sense of the scale of the threat, the risks you might face if you have a Ubiquiti router, or how to eliminate this particular threat from happening in the first place. Today, we’ll dig deeper than the headlines to see how you might be affected, how the infiltration took place, and some steps to guard against this threat.
From top to bottom—the (geo)politicization of hacking
When the headlines tout a Ubiquiti botnet, it isn’t made clear that it’s only one kind of Ubiquiti router: EdgeRouters. These devices are not as common as all other types of routers and are typically used to segment a network and restrict traffic. Because these are more specialized devices, run a different operating system than most Ubiquiti routers, and are limited in number, the impact of this exploit is smaller than if it were a flaw in all Ubiquiti routers. The impact from a geopolitical and law enforcement standpoint, however, was deemed large enough for government intervention.
Over the past fifteen years, hacking has become increasingly tied up with state-actors and geopolitics. From Stuxnet—a worm designed to disable Iranian nuclear facilities in 2010—to the 2016 hack of the DNC, nation-states have used plenty of tactics to gain information, disrupt and discourage behaviors, and conduct something like cyberwarfare between adversaries.
It’s for this reason that Microsoft has started naming state-sponsored attackers to identify them in code. Any group with a name that ends “Blizzard,” for instance, is identified as a Russian, state-sponsored attack group. The recent announcement of an attack that compromised around 1000 Ubiquiti routers and turned them into a “botnet” has been tied to Forrest Blizzard, who you might know better as Fancy Bear.
Modern hacking and the separation of duties
An interesting note here is that Forrest Blizzard isn’t really responsible for having created this botnet—many computers and devices that are infected and remotely controlled by the bad guys. Instead, they simply utilized a publicly known flaw that had already been exploited by a malware called “Moobot.” Once Moobot infected the routers, Forrest Blizzard was able to send their own payloads to the affected routers, which the DOJ says that they used to cover their tracks while violating many laws.
This kind of piggybacking is another symptom of the professionalization of hacking in recent years. In other recent attacks, dark-web watchers have seen new markets pop up for specific, service-based hacking. What this means is that there are specialists in each part of the chain of attack: the exploitation, the implementation, the infrastructure for the attack, etc. All of these things can be bought like services—so the experts say—on the black market. By creating a structure where experts contract out their nefarious skills, they strive to make the same kind of market efficiencies as corporations do.
From this point of view, Moobot was kind of like a loss-leader in the exploit market. It paved the way for another group to take up the infrastructure that they exploited, just with more refinement and direction.
Patched by Uncle Sam
In this case, the DOJ decided to disable the botnet themselves after collecting the payloads that were in these routers via telemetry. By analyzing the payloads, they were able to collect and study current methods for attacks and data theft being used by the group. The DOJ seems to have created and deployed firewall rules to devices that were affected, making it impossible for the devices to communicate with Forrest Blizzard’s attack servers and infrastructure. They’ve also published a few steps to take when resetting these devices, which includes installing the newest firmware from the manufacturer (a more typical source for security patches than the executive branch).
What can be done to stop this?
The Moobot exploit was, ultimately, one of the oldest ones in the book: default passwords for the administrator account. The device shipped with a default account for the administrator; if this isn’t reset, it’s the same as all the other devices. All of the intrigue and conflict of a spy thriller comes down to a very simple oversight made by administrators. It wasn’t some ingenious hack.
Anyone who had set up their device with their own username and password would have simply not been at risk. When setting up network devices, the administrator’s username and password is the same for every single device, and most network infrastructure isn’t capable of using MFA. Installing network and computer hardware on your home network requires coming up with some fresh usernames and passwords to make sure to not use the default, which is usually printed in the user manual and only one Google search away for everyone.
Taking this step is a simple way to ensure that your device can only be modified by you, but it’s only as good as your password management skills. Any device that has a printed administrator login should have its username and password changed—whether it’s printed on the device or in a manual. If your router has an administrator password printed, you might want your kids to not be able to change the router’s settings (especially if you use parental settings to enforce when their devices can be online).
Network devices do need to be factory reset from time to time (if you change your network’s settings to the wrong thing), so it’s a good habit to store the credentials in a password vault. Since most routers use webpages to change admin settings, you can use a password manager like Bitwarden or OnePassword to store a complex, hard-to-guess password to make sure you really are the administrator.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team