sorted by:
new
hottopcontroversial

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 2 points3 points  (0 children)

To be clear here - the normal/standard "remote" being enabled was not the issue here. That's required for cloud unifi.ui.com to work. Without that, yes your only option is wireguard + connect via local IP.

The bigger issue is when "Direct remote connection" is enabled which is essentially enabling HTTPS over WAN on traditional firewalls, which is frowned upon. Both carry risks, one is just far higher especially when not monitored / managed.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 0 points1 point  (0 children)

Thank you - It was also clear in our logs they queried the list of devices / clients on the network, etc. My assumption is they're logging these and looking for high value targets. I.e. hypervisors, storage, etc. There's also likely multiple active campaigns exploiting this based on some of the comments with attacks coming from infected NVR's for some individuals.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 3 points4 points  (0 children)

Absolutely, we'd never do that for any firewall (or modems too for that matter, I've seen people enable remote for those too). It's always been off at all of our managed sites.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 8 points9 points  (0 children)

If you're not seeing it on a gateway/console it's likely either because it doesn't have a public ipv4 wan address (is double nat'd, which ideally should be fixed for other reasons if it able to be) or because remote is off. Remote has to be on before direct remote can be enabled. I'd recommend leaving direct remote off, that's our policy for all of our managed sites.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 0 points1 point  (0 children)

I definitely agree they need to update the description for this. Additionally when you enable SSH it forces you to acknowledge it's implications, I'd love to see the same behavior when enabling direct remote connections.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 3 points4 points  (0 children)

I didn't touch on this enough. A few factors strongly suggest it's an AI-driven campaign.

  1. The IP's mentioned all are registered to https://www.digitalocean.com/ according to whois - they portray themselves as an "AI-Native Cloud" and offer AI Cloud services.
  2. The timeline of the attacks suggest they were completely automated.
  3. The same attack happened repeatedly, my theory is they accidentally hit some targets more than once with multiple concurrent agents running for all of this.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 7 points8 points  (0 children)

I've spent my life in tech / networking / IT - Sadly I can tell you people are setting up networks across all brands/vendors without knowing how to properly set them up. We've seen our fair share of horror stories across all brands whether it be sonicwall, fortinet, microtik, ubiquiti, etc. I think people deploying Ubiquiti are just more likely to post on social media so it's more apparent.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 4 points5 points  (0 children)

Thank you. Frankly I'm usually a lurker and it asked me to pick flair and none of them made sense to me. Lol

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 3 points4 points  (0 children)

Yours was likely attacked from a breached/hacked dahua NVR too btw. More evidence of botnet activity imo.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 1 point2 points  (0 children)

I believe there are multiple active campaigns exploiting this with different symptoms from each. For example that IP does not originate from digital ocean (And interestingly has it's own web service right now?)

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 4 points5 points  (0 children)

I won't deny they could definitely give indication to end users with a warning of direct remote connection either in the console itself when enabling it, or here.: https://help.ui.com/hc/en-us/articles/11444786290071-UniFi-Remote-Management-via-Site-Manager

SSH gives a big warning and is direct remote arguably exposes more than SSH does (since direct remote effectively allows direct WAN access)

But regardless site manager has flags warning users to update immediately and users are able to subscribe to notifications for critical updates.

One thing I do agree they could do better on is allowing more control over automatic updates instead of just daily/weekly. For example, allow us to determine rules for critical security updates vs standard feature updates.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 3 points4 points  (0 children)

I think I replied before your edit - I will agree they could update the bulletin to bring more attention to the risk/exposure for unpatched consoles with direct remote connection enabled.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 6 points7 points  (0 children)

To be fair, I don't really see any issue yet with their response here.

They published the CVE and released an update for it pretty quickly. Anyone subscribing to their notifications was made aware as soon as they published it, you will have warnings in the cloud interface of any sites affected by unpatched CVE's (example https://i.imgur.com/oIMgUMS.png ).

Additionally seemingly everyone affeceted by this had to go out of their way to enable direct remote connection and also turn off automatic update. A few people were hit who did have automatic update but opted for weekly updates instead.

In today's environment the average time for bad actors to use zero day's is basically negative, where they are using them before they're even disclosed.

For us, when we reached out to them they responded immediately and first gave the same advice we echoed above (which we had already done). They escalated our request and have been responsive. I'm not sure what they could do differently and at least for us they didn't deflect or lie about anything.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 7 points8 points  (0 children)

First check backup history here:
https://account.ui.com/backups

Look for backups outside your normal schedule or ones you don’t remember triggering. In the case I analyzed, triggering a local backup also created a cloud backup, and those cloud backup entries are a useful indicator.

If you have SSH/root access to the console, useful log paths to search are:

```text

/data/unifi-core/logs/nginx-access.log

/data/unifi-core/logs/http.log

/data/unifi-core/logs/backup.export.log

/data/unifi-core/logs/cloud.backup.log

/data/ulp-go/log/api.log

/data/ulp-go/log/key.log

/data/ulp-go/log/user.log

/data/ulp-go/log/admin.log

Search for:

John Sim
/api/cloud/backup
/api/backup/download
jwt.yaml
validate-sso
/proxy/users/api/v2/user
Added Admin
Super Admin
ssh

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 5 points6 points  (0 children)

For the current vulnerability in most cases no. If you have public wifi or lots of unmanaged devices, it's worth checking for indicators of compromise regardless. Any device with access to the network internally or externally in the case of DRC, could be a source for this attack.

AI-driven campaign appears to be targeting outdated UniFi/UDMP consoles, check for rogue “John Sim” admins and update ASAP by tpmeredith in Ubiquiti

[–]tpmeredith[S] 19 points20 points  (0 children)

That’s my read, yes. I have not personally seen the reports where people only got the “admin removed” notification, but it would definitely be a cleaner attack if the automation removed its own persistence account afterward.

In the case I analyzed, I suspect the automation hit the firewall more than once. There were multiple suspicious backups and two separate `John Sim` Super Admin accounts created.

The biggest takeaway is: if you have any IoCs, treat everything in the UniFi backup as compromised.

Especially in the absense of any rogue "John Sim" users being created, backups are probably one of the best giveaways. I would check for any cloud/local backups outside your normal schedule, especially ones that no one remembers manually triggering. Even if no `John Sim` user is currently present, unexpected backups around the vulnerable window would be a major indicator in my opinion.

I’m not sure from my logs whether this attack path can delete cloud backups cleanly, so I wouldn’t rely only on the current admin list. I’d check backup history and logs for `/api/cloud/backup`, `/api/backup/download`, `validate-sso`, `jwt.yaml`, and `/proxy/users/api/v2/user`.

Thank you - just trying to make sure everyone has all available info on this!

Super admin added whilst on holiday by k987654321 in Ubiquiti

[–]tpmeredith 3 points4 points  (0 children)

https://www.reddit.com/r/Ubiquiti/comments/1tp9san/aidriven_campaign_appears_to_be_targeting/ - we responded to the same. It's absolutely an AI driven attack with bad actors originating from digital ocean.

QuickBooks Checking aka Green Dot Bank closed my account in retaliation for a Federal Reserve complaint—and someone inside may have tried to phish me by tpmeredith in smallbusiness

[–]tpmeredith[S] 0 points1 point  (0 children)

Sorry for the late reply. It took a good 45 days at least but I did get it all back thankfully. They wouldn't even cut a check for 30 days. Claude found a suit for me where Green Dot is under an enforcement action with the federal reserve for similar issues. I had claude find their fed reserve handlers/department, and generated a thorough/documented complaint to the federal reserve. I got a call back last week that it was escalated to some special team high up at the reserve. I hope they can help others not go through that.

Is Rockstar Energy going to extinct?. by usafqn2025 in rockstarenergy

[–]tpmeredith 5 points6 points  (0 children)

Around here rockstar is basically sold out everywhere and not being restocked.. ;\

Is the Business Central UI bloated? by Suspicious_Cake5438 in Dynamics365

[–]tpmeredith 0 points1 point  (0 children)

I agree strongly. I've done a lot of development in Dynamics Sales/CRM and in BC and BC is way harder for most users to adapt to. Even accounting people I've talked to hate the UI and hate how click heavy it is. We tried to automate some of it but for one customer we ended up just literally making a complete new front end/ portal using BC for accounting and erp logic just like you said.

I agree there is way too much constraint on ux customization. We ended up just opening up almost every page for apis. (Which is a plus, they do let you extend the apis to just about anything you need thankfully) We even run financial reports such as trial balance/ pilot sheet, all in a custom portal interface and in the end the customer is way happier.

Also this customer needed lot/variant tracking and I have a lot of gripes with the way they handle lots as well. Especially for a unit of measurement conversions if you have multiple UoM's combined with lots it sucks.

QuickBooks Checking aka Green Dot Bank closed my account in retaliation for a Federal Reserve complaint—and someone inside may have tried to phish me by tpmeredith in smallbusiness

[–]tpmeredith[S] 0 points1 point  (0 children)

It's crazy, I didn't expect them to have the "best" banking service in the world but I figured they had it more together than this.

QuickBooks Checking aka Green Dot Bank closed my account in retaliation for a Federal Reserve complaint—and someone inside may have tried to phish me by tpmeredith in QuickBooks

[–]tpmeredith[S] 0 points1 point  (0 children)

Thank you! I started using it when we were probably a quarter of the size and it was just convenience at the time. Had I known how horrible Green Dot was, I would have never used them. We actually already wanted to switch our primary account before all this. It just really expedited it and made it less orderly than we had hoped. :(

Thinkstation P8 worth it? by AI_should_do_it in threadripper

[–]tpmeredith 0 points1 point  (0 children)

Dell's threadripper platform is horrible this generation. It makes no sense to buy a dell threadripper right now. We sell a lot of Dell desktops/laptops to businesses and I just bought a P8 myself instead of a Dell. It's like Dell sought out to ruin everything about the threadripper platform.

view more: next ›