The Mikrotik RouterOS-Based Botnet

March 28, 2018 — by Radware — 0

A newly discovered botnet targets TCP port 8291 and vulnerable Mikrotik RouterOS-based devices. MikroTik, a Latvian hardware manufacturer, products are used around the world and are now a target of a new propagating botnet exploiting vulnerabilities in their RouterOS operating system, allowing attackers to remotely execute code on the device. Such devices have been making unaccounted outbound winbox connections. Radware’s Emergency Response Team (ERT) has spotted an increase in malicious activity following Kaspersky’s publication about the Slingshot APT malware that infected Mikrotik routers. It is believed this botnet is part of the Hajime botnet. Radware is witnessing the spreading mechanism going beyond port 8291 into others and rapidly infecting other devices other than MikroTik (such as AirOS/Ubiquiti). The concern is that this new botnet will be leveraged to launch DDoS attacks. This is another event demonstrating the struggle for control between various bot-herders.

Figure 1: Multiple MikroTik exploits are available on GitHub and other sites

RouterOS Vulnerability

RouterOS is an operating system based on the Linux kernel, which implements functionalities normally used by ISPs, such as BGP, IPv6, OSPF or MPLS. RouterOS supported by MikroTik and its user community, providing a wide variety of configuration examples. RouterOS is embedded in MikroTik’s RouterBOARD product line, focused on small- and medium-sized Internet access providers that typically provide broadband access in remote areas.

[You might also like: Putinstresser.eu, a Simple and Powerful Booter and Stresser Service]

Preliminary analysis suggests that the botnet is exploiting known Mikrotik vulnerabilities (HTTP, SMB) as well as password brute-forcing. The worm has a highly efficient propagation mechanism by aggressively scanning for port 8291 in order to identify publicly available Mikrotik devices and using the password cracking capabilities to infect neighbor devices.

Mikrotik RouterOS SMB Buffer-OverflowVulnerability

A buffer overflow state occurs in MikroTik’s RouterOS SMB service when processing NetBIOS session request messages. Remote attackers exploiting this vulnerability can execute code on the system. As the overflow occurs before authentication takes place, an unauthenticated remote attacker can easily exploit it.

ChimayRed HTTP Exploit

The MikroTik RouterOS software running on the remote host is affected by a flaw in its HTTP web server process due to improper validation of user-supplied input. An unauthenticated, remote attacker craft a POST request to write data to an arbitrary location within the web server process, resulting in a denial-of-service condition or the execution of arbitrary code.

Infection Method

On 2018-03-24, 15:00 UTC time, Radware ERT research team has detected a huge spike on activity for TCP port 8291 in its global honeypot network.

Figure 2: Unique IPs per hour, targeting TCP port 8291. Logarithmic scale

After near-zero activity for months, Radware witnessed over 10,000 unique IPs hitting port 8291 in a single day.

Figure 3: Distribution of unique IPs scanning for the vulnerability

The worm aggressively scans the Internet with SYN packets to port 8291, but it never actually establishes a 3-way handshake on that port, e.g. no payload is sent to the point.

It appears the worm utilizes this stealth-SYN scan method to quickly identify vulnerable Mikrotik devices, as this port is used almost exclusively by the Mikrotik RouterOS platform. In addition to scanning port 8291, the worm targets the following ports: 80, 81, 82, 8080, 8081, 8082, 8089, 8181, 8880.

Exploits

The worm uses the ChimayRed exploit targeting vulnerable web servers on Mikrotik devices.

The worm will try to send the malicious payload to port 80 as well as other ports described earlier (80 81 82 8080 8081 8082 8089 8181 8880).

[You might also like: New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers]

The worm has a very high success rate of exploiting and spreading, as mentioned in MikroTik’s own forum (*Update 1), “Our network had a major attack today as well. It seems like they opened some devices via the http port (quite an old firmware) and they tried to spread or access by brute forcing mikrotik neighbors.”

This means that the worm utilizes exploits as well as password brute-forcing attempts to nearby neighbors, speeding up the infection rate.

Figure 5: The exploit payload that Radware caught in its honeypot network

Hashes / IOCs

/flash/bin/.telnetd
/flash/bin/fifo
/flash/bin/.p
/flash/etc/rc.d/run.d/S99telnetd
POST /jsproxy HTTP/1.1\r\nContent-Length:

Recommendations

Mikrotik recommends to Firewall ports 80/8291(Web/Winbox) and upgrade RouterOS devices to v6.41.3 (or at least, above v6.38.5 – *Update 2) Follow MikroTik’s thread on Twitter.

*Update 1: We regret the confusion caused by a wrong choice of wording that might have given the impression that MikroTik’s own network was compromised. We changed the wording from ‘own post’ to ‘own forum’ as the post was not originating from a MikroTik employee.

*Update 2: Updated MikroTik original recommendation that was posted in a deleted Twitter message (https://twitter.com/mikrotik_com/status/978160202380972032) and replaced with new recommendation as per the later Tweet (https://twitter.com/mikrotik_com/status/978533853324283904).

Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.

Download Now

A Quick History of IoT Botnets

March 1, 2018 — by Radware — 0

The Internet of Things (IoT) describes a world where just about anything is an Internet-enabled device. IoT is comprised of smart physical objects such as vehicles and buildings or embedded devices such as refrigerators, toasters and routers. These devices feature sensors and an IP address for Internet connectivity, enabling these objects to collect and exchange data while allowing users the ability to automate or control their devices.

New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers

February 12, 2018 — by Radware — 1

blog_image_ert_alert_wordpress_vulnerability-960x720.jpg

Overview

On February 8^th, 2018, Radware’s Deception Network detected a significant increase in malicious activity over port 8080. Further investigation uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 – Dasan Unauthenticated Remote Code Execution. Referred to as “Satori.Dasan,” it’s been rapidly expanding with a high success rate. The C2/Exploit server for this botnet is 185.62.188.88 (AS49349 – BlazingFast LLC, Ukraine)

It is not clear what is the purpose of this new botnet, as we were unable to find specific attack vectors in the binary.

Our analysis suggests that Satori is looking to take over 40,000 IoT devices to join its growing family of cryptocurrency miners, as we saw here, and here. This would make the Satori.dasan malware a stage #1 infection, responsible for rapidly scanning the internet looking for vulnerable devices.

Network Coverage

Over the past two days Radware has detected over 2000 malicious Unique IPs daily, almost 10 times higher than the daily average in the weeks prior.

The majority of the traffic came from Vietnam originating almost entirely from an ISP named ‘Viettel.’

A significant percentage of those malicious bots were also listening themselves on port 8080.

By sampling roughly 1000 IPs and querying their server headers, Radware revealed that 95% identified themselves as running “Dasan Network Solution.”

A quick Shodan search revealed about 40,000 devices listening on port 8080, with over half located in Vietnam, and not surprisingly an ISP named ‘Viettell Corporation.’

Botnet Activity: Distributed Scanning and Central Exploitation Server

The infected bots will perform aggressive scanning of random IP addresses, exclusively targeting port 8080. Once it finds a suitable target, it notifies a C2 server which immediately attempts to infect it.

See the following sequence captured at one of Radware’s sensors (10.0.0.70):

Step #1

The infected bot sends a half-open stealth-scan SYN request to port 8080. Instead of Ack, a TCP Reset is sent. Typical to Mirai code, the initial TCP SYN packet contains a sequence number identical to the 32bit value of the target victim.

Step #2

After 4 seconds, the bot establishes a 3-way TCP handshake to port 8080

Step #3

The following 113 bytes payload is sent:

Note that this is not the actual exploitation attempt, but rather a screening process to find vulnerable hosts.

Step #4

Radware’s Deception Network sensor is answering the probe with the following response:

The bot closes the connection.

Step #5

Now comes the interesting part.

Notice the timestamp – it is just 106 milliseconds after the last packet and we suddenly get an exploitation attempt from a completely different IP address. This IP belongs to a central exploitation server running on 185.62.188.88

The exploit server sends the following payload over HTTPS port 8080:

Investigating the Malware

The threat actors who operate this C2 Crime Server are responsible for numerous attacks that were recently covered by different security vendors, including Fortinet, 360netlab, SANS.

With some scanning, fuzzing and Open-Source Intelligence (OSINT0) we found some interesting details.

As with previous incidents, the domain rippr.me is used to point to the C2 server.

The following entries have an associated TXT record:

As we saw in the exploit payload, the server is listening on port 7777. Connecting to it brings the following download code:

So let’s get the file and check the contents:

It looks like a downloader that will be running on an infected device. The script downloads several versions of the binary and tries to execute it. If it fails (due to wrong CPU architecture), it will just go over to the next one.

Let’s grab the binaries (and guess some additional ones, like the x86_64). They look quite fresh according to server timestamps:

At the moment, VirusTotal already knows about the C2 address and shows that less than five antivirus products detect the files as malicious. Not very promising right now, but this should improve.

We will use this opportunity to submit some of the binaries that are missing in VT.

Summary

The Satori.Dasan variant is a rapidly growing botnet which utilizes a worm-like scanning mechanism, where every infected host looks for more hosts to infect. In addition, it also has a central C2 server that handles the exploitation itself once the scanners detect a new victim.

Read “2017-2018 Global Application & Network Security Report” to learn more.

Download Now

Taking Stock of Application-Layer Security Threats

January 11, 2018 — by Radware — 0

The financial services industry is, by its very nature, inherently risk adverse. The sheer volume of transactional data moving through networks can be staggering and protecting that data from cyberthreats is strategically and fiscally critical. To understand how financial service executives keep their most prized applications secure, Radware surveyed over 600 chief information security officers (CISOs) and other security leaders across financial services, retail and healthcare industries. This article provides an overview of key findings from Radware’s web application security report: Web Application Security in a Digitally Connected World.

Retail & Web Application Security: What Application-Layer Security Threats Are in Store for Retailers

January 10, 2018 — by Radware — 0

The retail industry is undergoing a transformative period as the “empowered” consumer, driven by technological advances and breakthroughs, impacts how retailers market, communicate and sell. Retailers continue to erode the barrier to purchase via a myriad of new technologies, such as mobile apps, social media transactions and AI that converse with consumers. They leverage AI to analyze buyer behavior and optimize buyer preferences. Even “traditional” retailers have invested in technologies that track both offline and in-store behaviors to further reduce the barrier to sale regardless of location.

The Healthcare / Cyber-Security Connection

January 9, 2018 — by Radware — 0

One of the businesses in the spotlight lately when it comes to cyber-attacks is healthcare – in fact, 46% of healthcare organizations experienced a data breach. The data associated with this industry is extremely sensitive and highly regulated, and also actively sought by hackers. It has even gotten to the point where we need to worry about the possibility of someone’s pacemaker or other medical device being hacked. We’ve covered this topic in much detail over the course of 2017, and below is our roundup of everything you need to know about cyber-security and healthcare.

Ransomware, Automation, and IoT Bots, Oh My!

January 3, 2018 — by Radware — 0

Happy New Year to all our readers! In 2017, we conducted several studies and wrote several reports on the state of cyber security. Let’s take a look at how 2017 shaped up:

The Radware Research Roundup

December 28, 2017 — by Radware — 0

As 2017 comes to a close, we decided to take a look back at a number of new attack types and threats that we saw throughout the year. Our team took a deep dive into researching and testing many of these threats to find out how they operate and how big of a threat they really were, through setting up honeypots, intentionally bricking a colleague’s device, and setting up IoT chatbots. Below are some of the highlights from our year:

2017 in Review: Your Favorite Posts

December 27, 2017 — by Radware — 0

Another year has come and gone, full of all sorts of new cyber-attacks and vulnerabilities. Which subjects did our readers find the most fascinating this year? Privacy, open-source tools, and a new botnet threat called Reaper were just a few. Below are the top 10 posts that you kept coming back to:

Healthcare & Web Application Security: A Prescriptive Look at Application-Layer Security Risks

December 7, 2017 — by Radware — 0

The healthcare sector consists of a wide number of segments: payers, such as insurance companies; providers such as hospitals and doctors; and manufacturers, both pharmaceutical as well as medical device and equipment. Because the industry deals with quality of life issues across the spectrum, access to real-time data, especially sensitive data such as patient records, requires both the security and availability of in-house, Web, mobile, or cloud applications.

main

Attack Types & Vectors Security