Hello and welcome to the Wednesday, February 28, 2024 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida. A little bit

over a week ago, the Department of Justice published a press release stating that they actually took action

against a botnet that infected home routers in the US.

Apparently, this botnet was associated with the Russian intelligence services, and it

specialized in infecting ubiquity edge routers that were still configured with the default password of UBNT.

So username and password were both UBNT, which is the default username and password for most equipment made by ubiquity,

like for example their cameras, switches, routers typically start out

with this username and password.

Now, the press release didn't state exactly when this happened, but they also said that

they got the court order that allowed them to do this.

In January, there was also a redacted copy of the court order. Also,

didn't really exactly say which exact commands. They ran to then later block reinfection.

Apparently, they were adjusting firewall rules for that. And also, how many of these bots

were exactly eliminated.

But I took a look at our data to see if we saw any change in scanning for these default

credentials, UBNT, UBNT, which are typical for OPEVIDE equipment.

Well, it turns out, didn't really see much of a change here.

Now, I looked at the number of sources that are actually scanning for these credentials.

They don't look like they change much at all.

There is a small sort of drop if you sort of draw linear regression, but it's anything but significant. Also, if you're

looking at the total number of reports, there is a small drop, but it's a very odd kind of spike

...