Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can this happen here? Ubiquiti routers fixed by DOJ?

    General pfSense Questions
    8
    10
    664
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DominikHoffmann
      last edited by

      Ars Technica article from today (02/16/2024) DOJ quietly removed Russian malware from routers in US homes and businesses.

      How likely is it that there is a botnet army out there running on pfSense hardware?

      ahking19A S 2 Replies Last reply Reply Quote 0
      • ahking19A
        ahking19 @DominikHoffmann
        last edited by

        @DominikHoffmann according to the article the devices were using the default admin password. With that open door anything is possible.

        "it affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password"

        T 1 Reply Last reply Reply Quote 1
        • T
          tedquade @ahking19
          last edited by

          @ahking19 In that vein, I just noted that Netgate /pfSense will force admin password change from default on 34.03 when it is released. In my view, this is in keeping with a larger international effort called "Secure by Design".

          Ted

          T 1 Reply Last reply Reply Quote 1
          • T
            tgl @tedquade
            last edited by

            The two things that were required to make this a problem were

            • users failing to change the default password (and software that failed to make them do so);
            • management functionality accessible from the WAN by default

            Ubiquiti has some excuse for the latter, in that remote management is something they push pretty hard; but I sure hope pfSense doesn't do that.

            KOMK 1 Reply Last reply Reply Quote 0
            • KOMK
              KOM @tgl
              last edited by

              @tgl I would argue that having remote WAN access enabled by default combined with a generic default password is completely incompetent and literally begging to be exploited.

              NollipfSenseN 1 Reply Last reply Reply Quote 3
              • NollipfSenseN
                NollipfSense @KOM
                last edited by

                @KOM The other troubling part is how DOJ supposedly, "quietly fixed it for U.S homes and businesses."

                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Rebel Alliance @DominikHoffmann
                  last edited by

                  @DominikHoffmann second time this month I think unless it’s a story about the last one. Generally the router has to be accessible as mentioned either from WAN unless they get control of a PC on LAN.

                  On the one I’m thinking of it sounded like they essentially used a hosts file entry to disable it, blocked the exploit, and will have ISPs notify users.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Usually they take down the C&C infrastructure so that exploited devices no longer receive any instructions.

                    S 1 Reply Last reply Reply Quote 1
                    • S
                      SteveITS Rebel Alliance @stephenw10
                      last edited by

                      @stephenw10 this is the timing but I couldn’t find the article I read, which had more detail.
                      https://www.malwarebytes.com/blog/news/2024/02/fbi-removes-malware-from-hundreds-of-routers-across-the-us

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      T 1 Reply Last reply Reply Quote 1
                      • T
                        tedquade @SteveITS
                        last edited by

                        @SteveITS Thanks for the link. I saw similar references in the ICS CERT RSS feed. Interesting world we have.

                        Ted

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.