I work at small WISP. A mix of Cambium and Ubnt.
Our Cambium customers(force 180s) have gotten hit with Malware (5 billionth search)
After eliminating everything device, I found that reset/reconfig of radio, would fix problem. It seemed to work, for a couple of days. Now I’m starting to get calls about problems coming back.
Any suggestions
2 Likes
What are the exhibited symptoms of this malware infection on the radios? What firmware are you running on them?
1 Like
We are using 4.6.2.
The firmware redirects websites to "5 billionth search " scam. When I reset and reconfigure, it fixes problem, but some have now been hit again.
It’s affecting a large percentage of our Cambiums.
I would make sure you have firewall rules in place to block input to the radio management from anything but your known good IP addresses.
Generally speaking I would never suggest having the radios be externally reachable but I understand this is a common practice.
re your radio acting as nat? bridge? Do they serve dhcp?
I’ve posted cnMaestro template instructions and JSON script to disable all accounts BUT the admin account. You can find it here:
2 Likes
Why are there so many default accounts on some of the Cambium equipment ? It just seems like bad security posture in general.
Luckily all our 180’s have installer,home and read-only account as disabled.
We made specific templates to disable all these accounts when we rolled out 180’s for this exact scenario.
1 Like
NOTICE
Cambium Networks acknowledge persistence of the issue with unauthorized configuration changes. Primarily DNS settings are affected but other settings can be affected too.
Issue can be observed with all firmware versions.
Presumably the attack is performed via default user passwords and snmp communities.
Workaround: change all default passwords and snmp communities.
We are grateful for all your feedback! Investigation is in progress.
I gues general network security isnt as well implemented as its supposed to be.
Here is our basic network security in suggestion form: (we actually do this)
Accounts that are not in use should be disabled after you change the password for it. This is important as physical attacks (customer or stolen devices) rely on these defaulted accounts for access.
Accounts that are used should have the password changed to something complicated and include caps, lowercase, numbers and special characters.
It is highly suggested that RADIUS is setup and used for employee access, this requires the radio to have network access to work. This allows login tracking and accountability and your employees do not need to know the local password.
Management VLAN should be used, management data should not mix with customer data and a vlan will prevent this as long as you are not within the same IP space (dont reuse IP subnets in different vlans). Use of RFC1918 or cgnat addresses is encouraged. Your firewall should be configured to block all access from outside the management network and VPNs should be used for remote access.
Network routers should have ACLs configured to keep management traffic separate from all other traffic. Blocking traffic from and to IP space not on the management network.
1 Like
Any news about how to fix this problem?
We are also experiencing same issue.
Brubble1’s answer is the most complete!
Hello Jerry,
Please change installer account password from default to something else or disable installer account on both AP and SM’s. Also disable other accounts that you are not using.
The only way this attack comes is when you are using default passwords on your ePMP radio’s.
Frederick
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.