back to article That home router botnet the Feds took down? Moscow's probably going to try again

Authorities from eleven nations have delivered a sequel to the January takedown of a botnet run by Russia on compromised Ubiquiti Edge OS routers – in the form of a warning that Russia may try again, so owners of the devices should take precautions. Revealed in February, the takedown was led by US authorities and at the time …

  1. sarusa Silver badge
    Devil

    Of course they will

    Of course they will. The only things all Russia's various orcs can do are enviously destroy nice things and pump petrochemicals for the greater glory of Pooty Poot, so they will keep doing those.

    1. sarusa Silver badge
      Devil

      Re: Of course they will

      Wow, five 50 ruble army. You should be honored, TheReg!

      1. sarusa Silver badge

        Re: Of course they will

        In case you're wondering what the hell my '50 ruble army' post out of nowhere is all about, the Pooty Poot arselicking post that was replying to is gone after too many downvotes.

  2. Yorick Hunt Silver badge
    Thumb Down

    Ubiquiti used to be my go-to source...

    ... For smaller SMBs; they had very efficient and cost-effective hardware, and a development team who was always on the ball.

    But no more - they've jumped aboard the "profit is king" train, lost their most devout and knowledgeable technical staff, and are providing at best 2-3 firmware iterations for each product, expecting customers to simply replace their hardware every couple of years.

    When a product which just went EOL last year hasn't received a firmware update in almost seven years, you get a rather foul taste in your mouth that makes you look elsewhere for better-supported solutions - and unlike a decade ago, Ubiquiti is far from the only player in that segment these days.

    1. Lazlo Woodbine

      Re: Ubiquiti used to be my go-to source...

      A firend of mine replaced 15 Ubiquiti edge switches with Arubas over the half term holiday.

      The Arubas are over 4 times the price, but are much easier to manage and are less likely to reboot themselves overnight after downloading and installing a firmware update on their own.

    2. Apprentice Human

      Re: Ubiquiti used to be my go-to source...

      For people who are new, or are now just looking at updating their hardware, what else is in the price range of Ubiquiti?

      1. K

        Re: Ubiquiti used to be my go-to source...

        TP Link have an eco-system similar to UBNT, often cheaper.. whether it's better, I can't say.. if your paranoid of anything with the "Made In China" tag, then probably not.

  3. Mike 137 Silver badge

    " hasn't received a firmware update in almost seven years"

    Firmware updates aren't an indication that a product is good -- they're an indication that the vendor recognised it was faulty. There are thus two alternative reasons for a lack of updates, the obvious one being negligence. The other might just be that it didn't need any though -- it's worth considering (though, admittedly, possibly rare). We ran a Netgear firewall router for the best part of a decade that only got three updates in its lifetime, only one of which was directly security related. It was rock solid until it was blown up by an indirect lightning strike.

    1. ChoHag Silver badge

      Re: " hasn't received a firmware update in almost seven years"

      "So simple it obviously has no errors, or so complex it has no obvious errors".

      I know where my money's going.

    2. Yorick Hunt Silver badge
      Unhappy

      Re: " hasn't received a firmware update in almost seven years"

      Spending several hours (and eventually giving up) on trying to shoehorn the current version of OpenSSL into a router because VPNs (to anything but another Ubiquiti router of the same vintage) ceased functioning isn't my idea of a product which doesn't need a firmware update. Bugs and features aren't the only reasons to provide updates.

  4. Joe W Silver badge

    Wtf?

    OK, home devices. Let's talk about these.

    Why on earth do they have ports exposed to the outside? Why should they? And even my pos telco-supplied router has a random-ish default password.

    1. Doctor Syntax Silver badge

      Re: Wtf?

      So they can be sold to telcos to remotely manage them.

      When PlusNet decided to remote manage mine to the point where I was unable to get in to make changes to my DHCP allocations it was time to pull it and install my own. Do I want to join the manufacturer's remote management scheme? No I do not. Turn off remote management.

      1. Lazlo Woodbine

        Re: Wtf?

        When my dad's TalkTalk connection was down, their operative logged into my router while I was on a call to them and they managed to change my password to a new random one, so they couldn't tell me what my new password was.

        When I enquired about how I would log into my router in future they had no answer, so I asked if they could send me a new one with an intact password sticker they said it would cost me £50 for a new router as my current one wasn't faulty.

        TalkTalk lost a customer that day.

        1. GBE

          Ernestine would be proud

          TalkTalk lost a customer that day.

          Ernestine would be truly proud of such customer service.

          "We don't care. We don't have to. We're the phone company."

    2. SotarrTheWizard

      Re: Wtf?

      Because they can, and because a small minority of users demand it.

    3. K

      Re: Wtf?

      Cause some people like role-playing as SysAdmin.. There's several rather large subs on Reddit dedicated to it.

  5. CowHorseFrog Silver badge

    So whats the difference between the chinese or russians snooping and facebook or Google ?

    1. sabroni Silver badge
      Facepalm

      So whats the difference between the chinese or russians snooping and facebook or Google

      People choose to give their data to facebook and Google.

    2. Spazturtle Silver badge

      Facebook and Google won't send embassy staff to beat you up on the street or send agents to kill you.

      1. Tim99 Silver badge

        A word from Wednesday Addams: "Wait"...

      2. SotarrTheWizard

        Yet. .

        (All rise for our Corporate Anthem . . . )

        https://www.youtube.com/watch?v=gej6SKHF7gw

      3. CowHorseFrog Silver badge

        You are discounting the real damage that the stupidity caused by FB is causing to society. I know people are free to be stupid and believe in crap they see on FB and G, but its a cruel example of extorting those that are too stupid to think otherwise. There are also many examples of FB for example allowing stupid medical recommendations that have killed thousands. There are also examples where FB has allowed groups to organise and attack and kill hundreds and thouands of gays, or others of another race.

        FB and G are not a common good for humanity, stop pretending its ok, because idiots give it to them for free. Its shameful that idiots can be abused this way, thats why we have governments to protect children because they dont understand or grasp that ther eare evil people who can hurt them.

      4. CowHorseFrog Silver badge

        FB and G support the concept of worshipping corporations and corporate management along with the rest of the American media.

        This has the effect that the masses are slowly but surely being paid less and having to work longer and longer hours. THere are a lot of poor people in America working jobs earning less than $5 an hour, because Corporate america has dsestroy the concept of human rights and a fair wage.

    3. Casca Silver badge

      If you dont know the difference then I feel a bit sorry for you...

  6. Doctor Syntax Silver badge

    It's a pity that when they ejected the malware on mass they didn't administer a few security patches as well.

  7. Pascal Monett Silver badge

    "Perform a hardware factory reset"

    And poof! say goodbye to your entire, lovingly-crafted network setup.

    I've got a hunch that there will be a fair number of people who won't want the hassle and will prefer to roll the dice.

    Not saying they're right, just saying they couldn't be bothered.

    1. sitta_europea Silver badge

      Re: "Perform a hardware factory reset"

      Perform a hardware factory reset;

      Upgrade to the latest firmware version;

      Change any default usernames and passwords;

      Implement strategic firewall rules on WAN-side interfaces.

      "... just saying they couldn't be bothered."

      I think it's worse than that.

      Most of them will have no idea whatever how to do all that, and nobody to help them.

    2. Dan 55 Silver badge

      Re: "Perform a hardware factory reset"

      Some routers supplied by telecos don't even let you export/import settings. It's a royal pain in the arse to manually set up everything yet again.

    3. Grogan Silver badge

      Re: "Perform a hardware factory reset"

      "And poof! say goodbye to your entire, lovingly-crafted network setup."

      That their grandson, who has recently emigrated to Timbuktu, set up for them :-)

    4. martinusher Silver badge

      Re: "Perform a hardware factory reset"

      You know that you can save and reload your router setup? At least, I can do this with mine and that setup is in plain text so its easy to scan and check for weirdness.

      There's no reason for a home router to require remote anything. In addition, the ISP should be monitoring their end to keep a lookout for attempts to compromise the network's equipment.

      But I suppose its easier, and more profitable, to go on about Russia, the Kremlin, Putin, China and so on. Even as law enforcement discovers a major botnet being run from Coventry.

  8. Anonymous Coward
    Anonymous Coward

    strategic firewall rules on WAN-side interfaces

    "...the FBI offers no help."

    So maybe the Reg could offer some suggestions?

    1. Brian Miller

      Re: strategic firewall rules on WAN-side interfaces

      Yeah, the "strategic rule" is very simple: drop all. Don't turn on the external web interface, don't allow anything through that provides a port to the outside.

      Seriously, when is the last time that Bob and Doug McKenzie (or Bevis and Butthead) wrote any firewall rules? Plug it in, and the lights blink. Go surf. That's it. I had a landlord who subscribed to a cable ISP, and I had to walk him through the process of plugging things in. Like not plugging the telephone into the RJ45 jack. Yeah, just because they are both square doesn't mean they do the same thing. I even had to change his browser home page so he would "be connected to the Internet." (My favorite cringe quote: "Does it have to be on to work?")

      We shouldn't expect that people will update their firmware. Honestly, the vast majority don't know what "firmware" is. "Turn it off and back on" is all that we can hope for.

  9. Zola

    Affected internet-facing devices were running with default credentials

    Ubiquiti *did* release an update to address this type of user incompetence (ie. running with default credentials) but unfortunately, and entirely predictably (as it's Ubiquiti), it too showed a spectacular level of incompetence this time on behalf of the development team, which made the protection entirely useless.

    Not only could the first boot "change password" dialog be dismissed with a press of the Escape button, never to be seen again allowing the default password to remain, but users could actually enter the DEFAULT password as the new password without any complaint.

    Needless to say, the change should not have accepted the original default password, nor should it have been possible to dismiss and carry on. It should also not just have been a "first boot" password change, but retrospective.

    Either this was incompetence from the development team (although any developer with half a brain cell would have realised the change they implemented was total nonsense), or the changes were specified by a lawyer who was only interested in doing the absolute minimum to cover the companies arse.

    1. Dan 55 Silver badge

      Re: Affected internet-facing devices were running with default credentials

      They figured that people who used the default password up until now would probably end up forgetting any new password and calling them for support which is something they don't want.

  10. Graham Cobb Silver badge

    OpenWrt

    While not a realistic option for the masses... I do recommend anyone here to consider running OpenWrt. I have used it for about 20 years on many different devices and I find it works well. It is, of course, open source if you feel like getting involved.

    I just checked the site and many Ubiquiti devices seem to be supported.

  11. ecofeco Silver badge

    Non techies?

    Why the hell are non techies responsible? They didn't make the product. And the Mad Hatter complexity of everything these days means they will NEVER understand how to fix their own digital kits.

  12. Roland6 Silver badge

    “ Owners of relevant devices”

    I like how the advisory does not provide a list of devices…

    So step 0 is determining whether this advisory does or does not apply to your router…

    I also presume there are devices in the channel which are also impacted by this, don’t just assume a new shiny device is secure out-of-the-box…

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like