main

Attack Types & VectorsSecurity

Stresspaint Malware Campaign Targeting Facebook Credentials

April 18, 2018 — by Adi Raff20

stresspaint-malware-960x679.jpg

On April 12, 2018, Radware’s threat research group detected malicious activity via internal feeds of a group collecting user credentials and payment methods from Facebook users across the globe. The group manipulates victims via phishing emails to download a painting application called ‘Relieve Stress Paint.’ While benign in appearance, it runs a malware dubbed ‘Stresspaint’ in the background. Within a few days, the group had infected over 40,000 users, stealing tens of thousands Facebook user credentials/cookies. This rapid distribution and high infection rate indicates this malware was developed professionally. The group is specifically interested in users who own Facebook pages and that contain stored payment methods. We suspect that the group’s next target is Amazon as they have a dedicated section for it in the attack control panel. Radware will continue to analyze the campaign and monitor the group’s activity. Prior to publication of this alert, Radware has detected another variant of the malware and saw indication of this new version in the control panel.

Attack Types & VectorsSecurity

The Mikrotik RouterOS-Based Botnet

March 28, 2018 — by Radware0

mikrotik-exploit-960x640.jpg

A newly discovered botnet targets TCP port 8291 and vulnerable Mikrotik RouterOS-based devices. MikroTik, a Latvian hardware manufacturer, products are used around the world and are now a target of a new propagating botnet exploiting vulnerabilities in their RouterOS operating system, allowing attackers to remotely execute code on the device. Such devices have been making unaccounted outbound winbox connections. Radware’s Emergency Response Team (ERT) has spotted an increase in malicious activity following Kaspersky’s publication about the Slingshot APT malware that infected Mikrotik routers. It is believed this botnet is part of the Hajime botnet. Radware is witnessing the spreading mechanism going beyond port 8291 into others and rapidly infecting other devices other than MikroTik (such as AirOS/Ubiquiti). The concern is that this new botnet will be leveraged to launch DDoS attacks. This is another event demonstrating the struggle for control between various bot-herders.

Figure 1: Multiple MikroTik exploits are available on GitHub and other sites

RouterOS Vulnerability

RouterOS is an operating system based on the Linux kernel, which implements functionalities normally used by ISPs, such as BGP, IPv6, OSPF or MPLS. RouterOS supported by MikroTik and its user community, providing a wide variety of configuration examples. RouterOS is embedded in MikroTik’s RouterBOARD product line, focused on small- and medium-sized Internet access providers that typically provide broadband access in remote areas.

[You might also like: Putinstresser.eu, a Simple and Powerful Booter and Stresser Service]

Preliminary analysis suggests that the botnet is exploiting known Mikrotik vulnerabilities (HTTP, SMB) as well as password brute-forcing. The worm has a highly efficient propagation mechanism by aggressively scanning for port 8291 in order to identify publicly available Mikrotik devices and using the password cracking capabilities to infect neighbor devices.

Mikrotik RouterOS SMB Buffer-OverflowVulnerability

A buffer overflow state occurs in MikroTik’s RouterOS SMB service when processing NetBIOS session request messages. Remote attackers exploiting this vulnerability can execute code on the system. As the overflow occurs before authentication takes place, an unauthenticated remote attacker can easily exploit it.

ChimayRed HTTP Exploit

The MikroTik RouterOS software running on the remote host is affected by a flaw in its HTTP web server process due to improper validation of user-supplied input. An unauthenticated, remote attacker craft a POST request to write data to an arbitrary location within the web server process, resulting in a denial-of-service condition or the execution of arbitrary code.

Infection Method

On 2018-03-24, 15:00 UTC time, Radware ERT research team has detected a huge spike on activity for TCP port 8291 in its global honeypot network.

Figure 2: Unique IPs per hour, targeting TCP port 8291. Logarithmic scale

After near-zero activity for months, Radware witnessed over 10,000 unique IPs hitting port 8291 in a single day.

Figure 3: Distribution of unique IPs scanning for the vulnerability

The worm aggressively scans the Internet with SYN packets to port 8291, but it never actually establishes a 3-way handshake on that port, e.g. no payload is sent to the point.

It appears the worm utilizes this stealth-SYN scan method to quickly identify vulnerable Mikrotik devices, as this port is used almost exclusively by the Mikrotik RouterOS platform. In addition to scanning port 8291, the worm targets the following ports: 80, 81, 82, 8080, 8081, 8082, 8089, 8181, 8880.

Exploits

The worm uses the ChimayRed exploit targeting vulnerable web servers on Mikrotik devices.

The worm will try to send the malicious payload to port 80 as well as other ports described earlier (80 81 82 8080 8081 8082 8089 8181 8880).

[You might also like: New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers]

The worm has a very high success rate of exploiting and spreading, as mentioned in MikroTik’s own forum (*Update 1), “Our network had a major attack today as well. It seems like they opened some devices via the http port (quite an old firmware) and they tried to spread or access by brute forcing mikrotik neighbors.”

This means that the worm utilizes exploits as well as password brute-forcing attempts to nearby neighbors, speeding up the infection rate.

Figure 5: The exploit payload that Radware caught in its honeypot network

Hashes / IOCs

  • /flash/bin/.telnetd
  • /flash/bin/fifo
  • /flash/bin/.p
  • /flash/etc/rc.d/run.d/S99telnetd
  • POST /jsproxy HTTP/1.1\r\nContent-Length:

Recommendations

Mikrotik recommends to Firewall ports 80/8291(Web/Winbox) and upgrade RouterOS devices to v6.41.3 (or at least, above v6.38.5 – *Update 2Follow MikroTik’s thread on Twitter.

*Update 1:  We regret the confusion caused by a wrong choice of wording that might have given the impression that MikroTik’s own network was compromised. We changed the wording from ‘own post’ to ‘own forum’ as the post was not originating from a MikroTik employee.

*Update 2: Updated MikroTik original recommendation that was posted in a deleted Twitter message (https://twitter.com/mikrotik_com/status/978160202380972032) and replaced with new recommendation as per the later Tweet (https://twitter.com/mikrotik_com/status/978533853324283904).

Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.

Download Now

Attack Types & VectorsDDoS AttacksSecurity

Choosing the Right DDoS Solution – Part I: On-Prem Appliance

March 14, 2018 — by Eyal Arazi1

choosing-ddos-part-1-960x534.jpg

As DDoS attacks grow more frequent, more powerful, and more sophisticated, many organizations turn to DDoS mitigation providers to protect themselves against attacks.

However, DDoS protection is not a one-size-fits-all fixed menu; rather, it is an a-la-carte buffet of multiple choices. Each option has its unique advantages and drawbacks, and it is up to the customer to select the optimal solution that best fits their needs, threats, and budget.

This blog series explores the various options for DDoS protection deployments and discusses the considerations, advantages and drawbacks of each approach, and who it is usually best suited for.

Attack Types & VectorsSecurity

Entering into the 1Tbps Era

March 8, 2018 — by Daniel Smith0

memecached-960x540.jpg

Background

On February 27th Radware noticed an increase in activity on UDP port 11211. As other organizations began to disclose a trend in UDP amplified attacks over UDP port 11211, Radware’s ERT Research team and the Threat Research Center began preparing for the inevitable. With a Bandwidth Amplification Factor (BAF) ranging between 10,000x and 52,000x, we knew that due to this exposure and publication that attackers would be quick to adopt this method and could easily reach volumes well over 500Gbps.

Attack Types & VectorsSecurityUncategorized

A Quick History of IoT Botnets

March 1, 2018 — by Radware0

history-of-iot-960x640.jpg

The Internet of Things (IoT) describes a world where just about anything is an Internet-enabled device. IoT is comprised of smart physical objects such as vehicles and buildings or embedded devices such as refrigerators, toasters and routers. These devices feature sensors and an IP address for Internet connectivity, enabling these objects to collect and exchange data while allowing users the ability to automate or control their devices.

Attack Types & VectorsSecurity

42% of Organizations Experienced Burst Attacks; The Rest Were Unaware They Were Attacked

February 27, 2018 — by Ron Meyran0

burst-attacks-960x679.jpg

One of the prominent trends in 2017 was an increase in short-burst attacks, which have become more complex, more frequent and longer in duration. Burst tactics are typically used against gaming websites and service providers due to their sensitivity to service availability as well as their inability to sustain such attack maneuvers.

Attack Types & VectorsSecurity

1984 to 2018: The Evolution of the Olympics

February 21, 2018 — by Daniel Smith1

olympics-then-and-now-960x678.jpg

Change is inevitable and it happens in every industry. Those that evolve with change often help lead the transformation and revolutionize their domain. In 2016 we began to enter the era of digital transformation in our industry and changes have begun to take place that are revolutionizing the way we consume, collect and deliver data to every aspect of society. Along with these changes have we seen the creation of new businesses and opportunities centered around this evolution in connectivity. Digitization is creating growth opportunities and offering user experiences in ways we have never seen before.

Attack Types & VectorsSecurity

Are You Protected Against Burst Attacks?

February 15, 2018 — by Amir Dahan0

burst-attack-protection-960x640.jpg

Common DDoS attacks come in the form of sustained, high-volume traffic floods that ramp up gradually, reach a peak, and are then followed by either a slow or a sudden descent. In recent years, a new attack pattern has emerged. Bursts attacks, also known as hit-and-run DDoS, use repeated short bursts of high-volume attacks at random intervals. Each short burst can last only a few seconds, while a burst attack campaign can span hours or even days. These attacks unleash hundreds of gigabits per second of throughput toward its target.