[nsp-sec] UBNT airOS worm in the wild
Krista Hickey
Krista.Hickey at cogeco.com
Mon May 16 13:07:31 EDT 2016
Apologies if this is outlined somewhere but I've been away and haven't had time to fully get up to speed but would like to quickly confirm/deny a theory -
Is there an easy way to somewhat fingerprint these devices? I ask as we've been battling (battled at this point I believe) a spam run whereby compromised customer credentials are being used to relay through our smtps platform, during the investigation we noted an atypically high volume of South American hosts (specifically Brazil) and from what (little) I currently understand South America is possibly noted as suffering this issue so, if possible, I'd like to see if there's any commonality in the hosts I saw participating in the spam botnet and this vulnerability. Alternately if I'm way off base I'd like a hint I'm wasting my time.
Thanks
Krista
7992
Ce courriel provient de Krista.Hickey at cogeco.com . Pour assurer la livraison de futurs envois, veuillez inclure la presente adresse courriel a votre carnet
d'adresses ou votre liste d'expediteurs autorises.
Si vous ne souhaitez plus recevoir de messages promotionnels de la part de Cogeco, veuillez transf?rer ce courriel a desabonnement at cogeco.com. Merci!
Politique en matiere de protection des renseignements personnels de Cogeco et Engagement en matiere d'anti-spam - Contactez-nous
Cogeco Cable Canada, 5 Place Ville-Marie, Bureau 1700, Montreal, Quebec, H3B 0B3
--
This email is from Krista.Hickey at cogeco.com . To ensure the delivery of future emails, please add the current email address to your address book or safe senders list.
If you no longer wish to receive promotional emails from Cogeco, please forward this message to unsubscribe at cogeco.com. Thank you!
Privacy Policy and Anti-spam Commitment - Contact us
Cogeco Cable Canada, 5 Place Ville-Marie, Suite 1700, Montreal, Quebec, H3B 0B3
-----Original Message-----
From: nsp-security [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Damian Menscher
Sent: Sunday, May 15, 2016 2:20 PM
To: nsp-security NSP <nsp-security at puck.nether.net>
Subject: [nsp-sec] UBNT airOS worm in the wild
----------- nsp-security Confidential --------
Starting Friday, a worm started spreading affecting UBNT airOS devices:
http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940
This has likely already run its course (it spread fairly quickly in the first hours, and appears to have reached saturation by Saturday) but I wanted to spread the word in case ISPs are unaware. It appears this worm is also responsible for an increase in NXDOMAIN queries hitting recursive resolvers (which may be your best indicator of infection).
Damian
--
Damian Menscher :: Security Reliability Engineer :: Google :: AS15169
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list