Of course they will
Of course they will. The only things all Russia's various orcs can do are enviously destroy nice things and pump petrochemicals for the greater glory of Pooty Poot, so they will keep doing those.
Authorities from eleven nations have delivered a sequel to the January takedown of a botnet run by Russia on compromised Ubiquiti Edge OS routers – in the form of a warning that Russia may try again, so owners of the devices should take precautions. Revealed in February, the takedown was led by US authorities and at the time …
... For smaller SMBs; they had very efficient and cost-effective hardware, and a development team who was always on the ball.
But no more - they've jumped aboard the "profit is king" train, lost their most devout and knowledgeable technical staff, and are providing at best 2-3 firmware iterations for each product, expecting customers to simply replace their hardware every couple of years.
When a product which just went EOL last year hasn't received a firmware update in almost seven years, you get a rather foul taste in your mouth that makes you look elsewhere for better-supported solutions - and unlike a decade ago, Ubiquiti is far from the only player in that segment these days.
A firend of mine replaced 15 Ubiquiti edge switches with Arubas over the half term holiday.
The Arubas are over 4 times the price, but are much easier to manage and are less likely to reboot themselves overnight after downloading and installing a firmware update on their own.
Firmware updates aren't an indication that a product is good -- they're an indication that the vendor recognised it was faulty. There are thus two alternative reasons for a lack of updates, the obvious one being negligence. The other might just be that it didn't need any though -- it's worth considering (though, admittedly, possibly rare). We ran a Netgear firewall router for the best part of a decade that only got three updates in its lifetime, only one of which was directly security related. It was rock solid until it was blown up by an indirect lightning strike.
Spending several hours (and eventually giving up) on trying to shoehorn the current version of OpenSSL into a router because VPNs (to anything but another Ubiquiti router of the same vintage) ceased functioning isn't my idea of a product which doesn't need a firmware update. Bugs and features aren't the only reasons to provide updates.
So they can be sold to telcos to remotely manage them.
When PlusNet decided to remote manage mine to the point where I was unable to get in to make changes to my DHCP allocations it was time to pull it and install my own. Do I want to join the manufacturer's remote management scheme? No I do not. Turn off remote management.
When my dad's TalkTalk connection was down, their operative logged into my router while I was on a call to them and they managed to change my password to a new random one, so they couldn't tell me what my new password was.
When I enquired about how I would log into my router in future they had no answer, so I asked if they could send me a new one with an intact password sticker they said it would cost me £50 for a new router as my current one wasn't faulty.
TalkTalk lost a customer that day.
You are discounting the real damage that the stupidity caused by FB is causing to society. I know people are free to be stupid and believe in crap they see on FB and G, but its a cruel example of extorting those that are too stupid to think otherwise. There are also many examples of FB for example allowing stupid medical recommendations that have killed thousands. There are also examples where FB has allowed groups to organise and attack and kill hundreds and thouands of gays, or others of another race.
FB and G are not a common good for humanity, stop pretending its ok, because idiots give it to them for free. Its shameful that idiots can be abused this way, thats why we have governments to protect children because they dont understand or grasp that ther eare evil people who can hurt them.
FB and G support the concept of worshipping corporations and corporate management along with the rest of the American media.
This has the effect that the masses are slowly but surely being paid less and having to work longer and longer hours. THere are a lot of poor people in America working jobs earning less than $5 an hour, because Corporate america has dsestroy the concept of human rights and a fair wage.
Perform a hardware factory reset;
Upgrade to the latest firmware version;
Change any default usernames and passwords;
Implement strategic firewall rules on WAN-side interfaces.
"... just saying they couldn't be bothered."
I think it's worse than that.
Most of them will have no idea whatever how to do all that, and nobody to help them.
You know that you can save and reload your router setup? At least, I can do this with mine and that setup is in plain text so its easy to scan and check for weirdness.
There's no reason for a home router to require remote anything. In addition, the ISP should be monitoring their end to keep a lookout for attempts to compromise the network's equipment.
But I suppose its easier, and more profitable, to go on about Russia, the Kremlin, Putin, China and so on. Even as law enforcement discovers a major botnet being run from Coventry.
Yeah, the "strategic rule" is very simple: drop all. Don't turn on the external web interface, don't allow anything through that provides a port to the outside.
Seriously, when is the last time that Bob and Doug McKenzie (or Bevis and Butthead) wrote any firewall rules? Plug it in, and the lights blink. Go surf. That's it. I had a landlord who subscribed to a cable ISP, and I had to walk him through the process of plugging things in. Like not plugging the telephone into the RJ45 jack. Yeah, just because they are both square doesn't mean they do the same thing. I even had to change his browser home page so he would "be connected to the Internet." (My favorite cringe quote: "Does it have to be on to work?")
We shouldn't expect that people will update their firmware. Honestly, the vast majority don't know what "firmware" is. "Turn it off and back on" is all that we can hope for.
Ubiquiti *did* release an update to address this type of user incompetence (ie. running with default credentials) but unfortunately, and entirely predictably (as it's Ubiquiti), it too showed a spectacular level of incompetence this time on behalf of the development team, which made the protection entirely useless.
Not only could the first boot "change password" dialog be dismissed with a press of the Escape button, never to be seen again allowing the default password to remain, but users could actually enter the DEFAULT password as the new password without any complaint.
Needless to say, the change should not have accepted the original default password, nor should it have been possible to dismiss and carry on. It should also not just have been a "first boot" password change, but retrospective.
Either this was incompetence from the development team (although any developer with half a brain cell would have realised the change they implemented was total nonsense), or the changes were specified by a lawyer who was only interested in doing the absolute minimum to cover the companies arse.
While not a realistic option for the masses... I do recommend anyone here to consider running OpenWrt. I have used it for about 20 years on many different devices and I find it works well. It is, of course, open source if you feel like getting involved.
I just checked the site and many Ubiquiti devices seem to be supported.
I like how the advisory does not provide a list of devices…
So step 0 is determining whether this advisory does or does not apply to your router…
I also presume there are devices in the channel which are also impacted by this, don’t just assume a new shiny device is secure out-of-the-box…