Tens of Thousands of Defaced MikroTik and Ubiquiti Routers Available Online

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Tens of thousands of MikroTik and Ubiquiti routers are currently available online, featuring alarmistic hostnames such as "HACKED FTP server," "HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED," or "HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD."

In reality, these devices have not been hacked, just defaced, and appear to be the subject of some prank of vigilante's actions.

Attackers aren't taking over devices, but merely changing the devices' names (hostnames), as a warning for device owners, hoping that users will take action and secure their routers.

Defacements started in 2017 with Ubiquiti devices
Spotted by Ankit Anubhav, Principal Researcher at NewSky Security, a cyber-security company specialized in IoT security, these benign hacks have been going on since last summer.

Speaking to Bleeping Computer, Anubhav says he first spotted these defacements last July, when he found over 36,000 Ubiquiti routers with strange hostnames [1, 2, 3], a number that has grown to over 40,000.

The hostnames of the defaced Ubiquiti routers are the same ones used in a 2016 campaign when hackers changed Ubiquiti router logins to username "mother" and password "#####er".

Last year's and the recent Ubiquiti defacements don't appear to change the user's password like in the 2016 campaign, but only the router's hostname.
Click to expand...

Default credentials are the most likely cause
Things cleared up when both Anubhav found users complaining on the MikroTik forums about defaced devices, admitting they were using default or no credentials.

"Looks like somebody made a script that logs into unprotected devices and changes the identity name," said a MikroTik spokesperson. "[MikroTik] RouterOS devices do have a password and firewall by default, but many remove those for unknown reasons."

The vigilante prankster behind the MikroTik attacks could have done much more harm with such a script. Instead, he just opted to rename the router's FTP server hostname to "HACKED FTP server."

We understand that running a secure home router is sometimes too difficult for users with no technical skills, but if you're interested in knowing more about the topic, here's an article detailing some of the basics.
Click to expand...
 
  • Like
Reactions: harlan4096
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Security News Ubiquiti users report having access to others’ UniFi routers, cameras
Replies
1
Views
1,236
Security News
ForgottenSeer 100397
F
MuzzMelbourne
    • Wow
    • +Reputation
Security News Hackers backed by Russia and China are infecting SOHO routers like yours, FBI warns
Replies
1
Views
1,758
Security News
simmerskool
simmerskool
Gandalf_The_Grey
    • +Reputation
    • Wow
    • HaHa
Security News Linksys Velop routers send wifi password in plaintext to server in U.S.
Replies
1
Views
2,938
Security News
cofer123
C

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top