Cyber Incident Victim: Ubiquiti Networks
Date:
May 2016
Location:
United States of America
Summary
A firmware worm exploited a known vulnerability in network devices, targeting outdated firmware versions to gain unauthorized administrative control without authentication. The malware spread by resetting infected devices to factory defaults, altering credentials to offensive variations, and attempting propagation to other machines, causing operational disruptions through forced reconfiguration. The company provided a removal tool and urged customers to update to patched firmware versions to mitigate further compromise, noting that while the worm's primary impact was service interruption rather than data theft, its spread posed risks to clients in sectors like military and education due to potential network destabilization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2016, Ubiquiti Networks disclosed an active campaign exploiting a known firmware vulnerability in its airOS M devices, following multiple infection reports from users. The attacks leveraged two distinct worms targeting a security flaw patched in 2015—an unauthenticated HTTP/HTTPS exploit that allowed complete device takeover when web interfaces remained exposed on outdated firmware. Attackers used this vulnerability to gain root and administrative control over affected hardware. Ubiquiti confirmed infected devices exhibited compromised settings, port blocking, and attempts to propagate malware to other systems. The company traced infections to devices running firmware versions predating secure releases such as airOS 5.6.5, airMAX M 5.5.11, and other specified builds. While the vulnerability had been addressed a year prior, unpatched systems remained susceptible due to delayed updates.
The incident impacted military, university, and hospitality sector clients, with potential consequences including network disruption, data theft, and espionage. One worm variant caused operational chaos by reverting devices to factory defaults—forcing administrators to manually reconfigure each unit—and altering credentials to offensive usernames and passwords. A second variant demonstrated more aggressive propagation but lacked overt financial or data exfiltration motives. Ubiquiti responded by releasing a Java-based removal tool for compromised devices and reiterating patching instructions for vulnerable firmware versions. The company temporarily advised users with legitimate rc.scripts to remain on airOS 5.6.4 until compatibility issues were resolved in subsequent updates. Security lead Matt Hardy characterized the worms as disruptive but noted their limited objectives compared to financially motivated malware.