I work at small WISP. A mix of Cambium and Ubnt.
Our Cambium customers(force 180s) have gotten hit with Malware (5 billionth search)
After eliminating everything device, I found that reset/reconfig of radio, would fix problem. It seemed to work, for a couple of days. Now I’m starting to get calls about problems coming back.
I work at small WISP. A mix of Cambium and Ubnt.
What are the exhibited symptoms of this malware infection on the radios? What firmware are you running on them?
We are using 4.6.2.
The firmware redirects websites to "5 billionth search " scam. When I reset and reconfigure, it fixes problem, but some have now been hit again.
It’s affecting a large percentage of our Cambiums.
I would make sure you have firewall rules in place to block input to the radio management from anything but your known good IP addresses.
Generally speaking I would never suggest having the radios be externally reachable but I understand this is a common practice.
re your radio acting as nat? bridge? Do they serve dhcp?
So someone in the ePMP forum posted with the same problem
It looks like the hack changes the DNS server address on the Configuration > Network > Ethernet Interface so if the radio is doing DHCP to the customer it hands the customer hardware the malicious DNS addresses
Edit : Found one on our network… god hope its just because it’s old and it escaped a config change or one of the settings got defaulted over the years or it’s a vulnerability in the older board or something.
F180 installed in 2015
The DNS address it’s known to use so far:
Check to see if you can log into a compromised radio with
This is the only way I could think of that the malware could access the radio but not be able to change the passwords (and why wouldn’t it do that if it could?)
Checked my one compromised radio and sure enough, the installer account was enable and using the default password.
Also probably check to make sure your setup does not use the default SNMP strings especially the Read/Write string Configuration > System > SNMP
I’ve posted cnMaestro template instructions and JSON script to disable all accounts BUT the admin account. You can find it here:
Why are there so many default accounts on some of the Cambium equipment ? It just seems like bad security posture in general.
Luckily all our 180’s have installer,home and read-only account as disabled.
We made specific templates to disable all these accounts when we rolled out 180’s for this exact scenario.
Cambium Networks acknowledge persistence of the issue with unauthorized configuration changes. Primarily DNS settings are affected but other settings can be affected too.
Issue can be observed with all firmware versions.
Presumably the attack is performed via default user passwords and snmp communities.
Workaround: change all default passwords and snmp communities.
We are grateful for all your feedback! Investigation is in progress.
I gues general network security isnt as well implemented as its supposed to be.
Here is our basic network security in suggestion form: (we actually do this)
Accounts that are not in use should be disabled after you change the password for it. This is important as physical attacks (customer or stolen devices) rely on these defaulted accounts for access.
Accounts that are used should have the password changed to something complicated and include caps, lowercase, numbers and special characters.
It is highly suggested that RADIUS is setup and used for employee access, this requires the radio to have network access to work. This allows login tracking and accountability and your employees do not need to know the local password.
Management VLAN should be used, management data should not mix with customer data and a vlan will prevent this as long as you are not within the same IP space (dont reuse IP subnets in different vlans). Use of RFC1918 or cgnat addresses is encouraged. Your firewall should be configured to block all access from outside the management network and VPNs should be used for remote access.
Network routers should have ACLs configured to keep management traffic separate from all other traffic. Blocking traffic from and to IP space not on the management network.
Any news about how to fix this problem?
We are also experiencing same issue.
Doesn’t seem this is really a hack or malware on the radio thing. So far it looks like it’s an “Installer account is enabled by default and most people don’t know it” kind of thing.
Make sure installer account is disabled if you aren’t using it. Make sure Admin nor Installer is using default passwords if you are using them. Make sure SNMP strings are not default.
If you are using cnMaestro Eric Ozrelic Epmp hacked? unexplainable traffic/malware? - #16 by Eric_Ozrelic posts excellent step by step instructions for pushing a template out that disables all but the admin account.
EDIT: There is in fact a bug in the radios that allows the management interface to be accessed by the radios public IP even if you are using the “separate management interface” option so it’s probably a good idea to not use default ports for HTTP/S or SSH and just disable Telnet unless you actually use it for some reason. Also probably make sure MAC-Telnet Access is disabled unless you actually use it also.
Brubble1’s answer is the most complete!
Please change installer account password from default to something else or disable installer account on both AP and SM’s. Also disable other accounts that you are not using.
The only way this attack comes is when you are using default passwords on your ePMP radio’s.