[nsp-sec] UBNT airOS worm in the wild

Mon May 16 15:23:03 EDT 2016

Started roughly April 27th, at the very least that’s when it became painful for us connection wise, note we filtered the spam so none of it really succeeded make it to the internet - I can get more specific timelines if worth it. And note we’re well used to seeing spam botnets and while we’re still finalizing our post mortem I can definitely say this was atypical volume for what we normally see (and I’ve been looking at this traffic of ours for over a decade).

I still have a lot of logs of the (likely compromised) hosts that were participating so I can run those IPs those some type of fingerprint/footprint validation for this device type if there one – I’m also open to sharing these IPs and timestamps seen if anyone is interested.

Krista

From: Damian Menscher [mailto:damian at google.com]
Sent: Monday, May 16, 2016 3:15 PM
To: Krista Hickey <Krista.Hickey at cogeco.com>
Cc: nsp-security NSP <nsp-security at puck.nether.net>
Subject: Re: [nsp-sec] UBNT airOS worm in the wild

On Mon, May 16, 2016 at 10:07 AM, Krista Hickey <Krista.Hickey at cogeco.com<mailto:Krista.Hickey at cogeco.com>> wrote:
Is there an easy way to somewhat fingerprint these devices? I ask as we've been battling (battled at this point I believe) a spam run whereby compromised customer credentials are being used to relay through our smtps platform, during the investigation we noted an atypically high volume of South American hosts (specifically Brazil) and from what (little) I currently understand South America is possibly noted as suffering this issue so, if possible, I'd like to see if there's any commonality in the hosts I saw participating in the spam botnet and this vulnerability. Alternately if I'm way off base I'd like a hint I'm wasting my time.

When did your spam run start?  The worm started spreading Friday 2am Pacific, so if you saw spam before then it's unlikely to be related (though I suppose they might have been infected by something else before).

Obviously now that there's published source for this worm it could easily be taken over by other actors....

Damian

.

Ce courriel provient de Krista.Hickey at cogeco.com . Pour assurer la livraison de futurs envois, veuillez inclure la présente adresse courriel à votre carnet d’adresses ou votre liste d’expéditeurs autorisés.

Si vous ne souhaitez plus recevoir de messages promotionnels de la part de Cogeco, veuillez transférer ce courriel à desabonnement at cogeco.com. Merci!

Politique en matière de protection des renseignements personnels de Cogeco et Engagement en matière d’anti-spam<http://www.cogeco.ca/cable/entreprise/cca/vie_privee.html> – Contactez-nous<http://www.cogeco.ca/web/qc/fr/residentiel/soutien/contact_telephone.php>

Cogeco Câble Canada, 5 Place Ville-Marie, Bureau 1700, Montréal, Québec, H3B 0B3

--

This email is from Krista.Hickey at cogeco.com . To ensure the delivery of future emails, please add the current email address to your address book or safe senders list.

If you no longer wish to receive promotional emails from Cogeco, please forward this message to unsubscribe at cogeco.com. Thank you!<http://www.cogeco.ca/cable/corporate/cgo/privacy.html>

Privacy Policy and Anti-spam Commitment - Contact us<http://www.cogeco.ca/web/on/en/residential/support/contact_phone.php>

Cogeco Cable Canada, 5 Place Ville-Marie, Suite 1700, Montreal, Quebec, H3B 0B3

.