Reply
Highlighted
New Member
Posts: 23
Registered: ‎11-25-2017
Kudos: 9

BleepingComputer Article “Defaced MikroTik and Ubiquiti Routers available online”

[ Edited ]

Hi,

 

For info, came across this article today.

 

A quick search of these forums shows its already been discussed, but as its a new article (10th Jan), and people may ask questions thought it worth dropping in here for awareness....

 

https://www.bleepingcomputer.com/news/security/tens-of-thousands-of-defaced-mikrotik-and-ubiquiti-ro...

 

“Tens of thousands of MikroTik and Ubiquiti routers are currently available online, featuring alarmistic hostnames such as "HACKED FTP server," "HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED," or "HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD." “

Regular Member
Posts: 461
Registered: ‎08-29-2012
Kudos: 292
Solutions: 12

Re: BleepingComputer Article “Defaced MikroTik and Ubiquiti Routers available online”

If you look on shodan you see routers by ISP, those ISP should be named and shamed for using a default password. This is not a problem with the makers of the hardware this is a problem with stupid network operators. I feel bad for the end users that are paying money to a company that cares so little about there own network.

Established Member
Posts: 2,475
Registered: ‎08-06-2015
Kudos: 1016
Solutions: 150

Re: BleepingComputer Article “Defaced MikroTik and Ubiquiti Routers available online”

As noted in the OP this is not new.  It isn't even unique to the two named vendors.

 

As noted in the referenced article this likely has most to do with end-users installing these devices and keeping the default credentials.  That has been noted in these forums several times, in some cases with much worse results than a simple hostname change.

 

Big ISPs that provide equipment to end users have mostly migrated away from well-known default credentials and instead will typically have a label/sticker on the CPE router with the defaults printed.  Those defaults, while not necesarily "strong", are unique and (much more importantly) not "well known".  This is done since it is expected that end-users in fact will never change them.

 

When someone obtains a router on their own, such as from UBNT, there is an expectation that they should change the well-known defaults but alas there are too many that do not do so.  The wizards (the last I checked) even provide for this change as a default configuration but too many still don't do this Man Sad

 

Most providers, even small ones, know better and change the default credentials as part of standard configuration.

 

 

Regular Member
Posts: 461
Registered: ‎08-29-2012
Kudos: 292
Solutions: 12

Re: BleepingComputer Article “Defaced MikroTik and Ubiquiti Routers available online”

Here is a list(top3) of the routers with the hostname of found grouped by ISP HACKED-ROUTER-HELP-SOS-HAD-DUPE-PASSWORD

Uarnet 1,066 (isp in West Ukraine)
TzOV Biznes i Technologii 833  (isp in Ukraine)
Wiltel Comunicaciones SA 582 (isp in Argentina)

 

Tell me how one ISP has over 1000 people by a router from ubnt and not change the password. Those devices are managed or supplyed by the ISP. Btw below is a list by device type(top5)

AG5-HP 8,835
LM5 7,609
LB5 1,843
N5N 1,394
NB5 1,340

Not one of the above devices is something that a normal end user would buy.

 

The fault lies 100% will the ISP.

 

 
 
Regular Member
Posts: 598
Registered: ‎10-13-2016
Kudos: 180
Solutions: 19

Re: BleepingComputer Article “Defaced MikroTik and Ubiquiti Routers available online”

Granted sometimes I am indeed guilty of being lazy and the username may stay the same, but i always always ALWAYS change the password immediately. Its not rocket science, its common sense.

Reply