• mox
      link
      fedilink
      English
      4
      edit-2
      11 months ago

      I answered this in my top-level comment. (And agreed: the article originally posted is useless. OP has since changed the link to the one I found.)

    • @ghostdoggtv
      link
      English
      311 months ago

      Check for a DOJ press release it’ll probably have more details.

  • mox
    link
    fedilink
    English
    10
    edit-2
    11 months ago

    This article gives no details, but here’s a relevant bit from another article:

    Cybercriminals not linked with the GRU (Russian Military Intelligence) first infiltrated Ubiquiti Edge OS routers and deployed the Moobot malware, targeting Internet-exposed devices with widely known default administrator passwords.

    Subsequently, the GRU hackers leveraged the Moobot malware to deploy their own custom malicious tools, effectively repurposing the botnet into a cyber espionage tool with global reach.

    […]

    “Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation,” the Justice Department said.

    And here is the press release:

    https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian

    • rustydomino
      link
      English
      611 months ago

      Based on this article it sounds like as long as you don’t have open ports for remote administration open and/or if you’ve changed the default admin password you SHOULD be ok? I’m curious to see what recommendations Ubiquiti has regarding this.

      • mox
        link
        fedilink
        English
        5
        edit-2
        11 months ago

        That’s what the released information information suggests, yes. (Edit: Assuming you took those precautions before the original attack, of course.)

    • @WilshireOP
      link
      English
      211 months ago

      Thank you. I’ve updated the post to your link.

    • @AlpacaChariot
      link
      English
      111 months ago

      Makes me glad I replaced the firmware on my Unifi devices with OpenWrt

      • mox
        link
        fedilink
        English
        1
        edit-2
        11 months ago

        OpenWrt has an admin password and UI as well. I hope you changed the former and blocked the latter on external ports, before connecting it to the internet.

        • @agent_flounder
          link
          English
          211 months ago

          Indeed. Pretty sure the latter is blocked by default.

        • @AlpacaChariot
          link
          English
          211 months ago

          Yes of course I changed the root password, I think it would actually be quite difficult not to do that on OpenWrt as it warns you if the password isn’t set.

          Was the exploit not related to unifi’s remote / cloud administration features? That’s how I read it, unless they mean remote admin that was installed by the malware.

          • mox
            link
            fedilink
            English
            211 months ago

            The articles refer to EdgeOS, not UniFi, which is a separate thing.

          • @[email protected]
            link
            fedilink
            English
            211 months ago

            UniFi and Edge are different product lines. UniFi uses a controller (local or cloud-based) and edge products are the more traditional interface on the device itself.

            The article clearly states that edgerouter is the affected product, which means the default password and remote admin interface were the attack vectors.

            • @AlpacaChariot
              link
              English
              211 months ago

              Thanks, I find the names of Ubiquiti’s product lines pretty confusing particularly as they are often used together.

              I have an Edgerouter X, an Edgerouter PoE-5, two UAP-AC-LR (“Ubiquiti UniFi-AC-LR”) access points, and one UAP-AC-MESH (“Ubiquiti UniFi-AC-MESH”) access point.

              The access points came with UniFi firmware, whereas the routers were running EdgeOS. I’m no longer using the PoE-5 and I’ve replaced the firmware on all of the other devices with OpenWrt.