main

Attack Types & VectorsSecurity

The Mikrotik RouterOS-Based Botnet

March 28, 2018 — by Radware0

mikrotik-exploit-960x640.jpg

A newly discovered botnet targets TCP port 8291 and vulnerable Mikrotik RouterOS-based devices. MikroTik, a Latvian hardware manufacturer, products are used around the world and are now a target of a new propagating botnet exploiting vulnerabilities in their RouterOS operating system, allowing attackers to remotely execute code on the device. Such devices have been making unaccounted outbound winbox connections. Radware’s Emergency Response Team (ERT) has spotted an increase in malicious activity following Kaspersky’s publication about the Slingshot APT malware that infected Mikrotik routers. It is believed this botnet is part of the Hajime botnet. Radware is witnessing the spreading mechanism going beyond port 8291 into others and rapidly infecting other devices other than MikroTik (such as AirOS/Ubiquiti). The concern is that this new botnet will be leveraged to launch DDoS attacks. This is another event demonstrating the struggle for control between various bot-herders.

Figure 1: Multiple MikroTik exploits are available on GitHub and other sites

RouterOS Vulnerability

RouterOS is an operating system based on the Linux kernel, which implements functionalities normally used by ISPs, such as BGP, IPv6, OSPF or MPLS. RouterOS supported by MikroTik and its user community, providing a wide variety of configuration examples. RouterOS is embedded in MikroTik’s RouterBOARD product line, focused on small- and medium-sized Internet access providers that typically provide broadband access in remote areas.

[You might also like: Putinstresser.eu, a Simple and Powerful Booter and Stresser Service]

Preliminary analysis suggests that the botnet is exploiting known Mikrotik vulnerabilities (HTTP, SMB) as well as password brute-forcing. The worm has a highly efficient propagation mechanism by aggressively scanning for port 8291 in order to identify publicly available Mikrotik devices and using the password cracking capabilities to infect neighbor devices.

Mikrotik RouterOS SMB Buffer-OverflowVulnerability

A buffer overflow state occurs in MikroTik’s RouterOS SMB service when processing NetBIOS session request messages. Remote attackers exploiting this vulnerability can execute code on the system. As the overflow occurs before authentication takes place, an unauthenticated remote attacker can easily exploit it.

ChimayRed HTTP Exploit

The MikroTik RouterOS software running on the remote host is affected by a flaw in its HTTP web server process due to improper validation of user-supplied input. An unauthenticated, remote attacker craft a POST request to write data to an arbitrary location within the web server process, resulting in a denial-of-service condition or the execution of arbitrary code.

Infection Method

On 2018-03-24, 15:00 UTC time, Radware ERT research team has detected a huge spike on activity for TCP port 8291 in its global honeypot network.

Figure 2: Unique IPs per hour, targeting TCP port 8291. Logarithmic scale

After near-zero activity for months, Radware witnessed over 10,000 unique IPs hitting port 8291 in a single day.

Figure 3: Distribution of unique IPs scanning for the vulnerability

The worm aggressively scans the Internet with SYN packets to port 8291, but it never actually establishes a 3-way handshake on that port, e.g. no payload is sent to the point.

It appears the worm utilizes this stealth-SYN scan method to quickly identify vulnerable Mikrotik devices, as this port is used almost exclusively by the Mikrotik RouterOS platform. In addition to scanning port 8291, the worm targets the following ports: 80, 81, 82, 8080, 8081, 8082, 8089, 8181, 8880.

Exploits

The worm uses the ChimayRed exploit targeting vulnerable web servers on Mikrotik devices.

The worm will try to send the malicious payload to port 80 as well as other ports described earlier (80 81 82 8080 8081 8082 8089 8181 8880).

[You might also like: New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers]

The worm has a very high success rate of exploiting and spreading, as mentioned in MikroTik’s own forum (*Update 1), “Our network had a major attack today as well. It seems like they opened some devices via the http port (quite an old firmware) and they tried to spread or access by brute forcing mikrotik neighbors.”

This means that the worm utilizes exploits as well as password brute-forcing attempts to nearby neighbors, speeding up the infection rate.

Figure 5: The exploit payload that Radware caught in its honeypot network

Hashes / IOCs

  • /flash/bin/.telnetd
  • /flash/bin/fifo
  • /flash/bin/.p
  • /flash/etc/rc.d/run.d/S99telnetd
  • POST /jsproxy HTTP/1.1\r\nContent-Length:

Recommendations

Mikrotik recommends to Firewall ports 80/8291(Web/Winbox) and upgrade RouterOS devices to v6.41.3 (or at least, above v6.38.5 – *Update 2Follow MikroTik’s thread on Twitter.

*Update 1:  We regret the confusion caused by a wrong choice of wording that might have given the impression that MikroTik’s own network was compromised. We changed the wording from ‘own post’ to ‘own forum’ as the post was not originating from a MikroTik employee.

*Update 2: Updated MikroTik original recommendation that was posted in a deleted Twitter message (https://twitter.com/mikrotik_com/status/978160202380972032) and replaced with new recommendation as per the later Tweet (https://twitter.com/mikrotik_com/status/978533853324283904).

Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.

Download Now

Attack Types & VectorsSecurity

Entering into the 1Tbps Era

March 8, 2018 — by Daniel Smith0

memecached-960x540.jpg

Background

On February 27th Radware noticed an increase in activity on UDP port 11211. As other organizations began to disclose a trend in UDP amplified attacks over UDP port 11211, Radware’s ERT Research team and the Threat Research Center began preparing for the inevitable. With a Bandwidth Amplification Factor (BAF) ranging between 10,000x and 52,000x, we knew that due to this exposure and publication that attackers would be quick to adopt this method and could easily reach volumes well over 500Gbps.

Attack Types & VectorsSecurity

BrickerBot only attacks compromised devices

May 18, 2017 — by Pascal Geenens0

brickerbot-research-update-960x540.jpg

BrickerBot uses a network of globally distributed devices that are passively detecting exploit attempts from devices infected with IoT bots such as Mirai and Hajime. BrickerBot reacts to an exploit attempt by scanning the source of the exploit for a set number of ports, trying to secure the device (assumption based on Janit0r statements) and if not able to, ultimately attempting to brick the device using exactly 90 brick sequences over the telnet session.

As long as IoT devices stay clean from any of the known IoT bots, there is no reason to fear the BrickerBot. While Hajime might have the best of intentions and is trying to proactively protect IoT devices from known malicious bots, it inadvertently will trigger the wrath of BrickerBot.

Attack Types & VectorsSecurity

The offspring of two comic book giants bring us the Bot Squad! Super freaky!

May 9, 2017 — by Carl Herberger0

Radware_The_Bot_Squad-960x960.png

To state the obvious, two well-known comic book giants have lit the imaginations of generations of children. They brought to life the fantasy that humans could be ‘super’ or immortal, or somehow infallible.

Each in their own way combined fantastical combinations of humans with unreal, unbelievable and incredible skills.

In the category of vision enhancement alone, there are legions of characters who have developed themselves in a surreal way, for example, through X-Ray vision, or super-acute vision (something akin to a hawk). Other superheroes were gifted with night vision or even eyes that fired deadly laser beams. However, did you know that these characters dreamt up in comic books all have somewhat real world equivalents? Well, maybe not in people, but clearly in video surveillance systems of the future.

Attack Types & VectorsSecurity

From BrickerBot to Phlashing, Predictions for Next-Level IoT Attacks.

May 2, 2017 — by David Hobbs0

iot-predictions-960x394.jpg

When BrickerBot was discovered, it was the first time we’ve seen a botnet that would destroy an IoT device, making it unusable. We’ve had cameras in the lab for our research on the Mirai botnet, so one was volunteered to be the guinea pig. Watching our beloved research lab’s IP-enabled camera turn into a useless paperweight was somewhat bittersweet. We knew BrickerBot v1 aimed to destroy insecure IoT gear, and this was validation. We had to either take it apart and solder a serial connection to it to re-flash it, or just spend the $60 on a new one to continue our IoT botnet research.

Attack Types & VectorsSecurity

Hajime – Sophisticated, Flexible, Thoughtfully Designed and Future-Proof

April 26, 2017 — by Pascal Geenens0

hajime-botnet-960x540.jpg

A glimpse into the future of IoT Botnets

On Oct 16th, Sam Edwards and Ioannis Profetis from Rapidity Networks published a report on a new malware they discovered and named “Hajime.” The report came in the aftermath of the release of the Mirai source code and Mirai’s attacks on Krebs and OVH. Before Hajime was able to make headlines, Mirai was attributed to the attacks that took down Dyn on Oct 21st and lead to a large array of Fortune 500 companies such as Amazon, Netflix, Twitter, CNN, and Spotify being unreachable most of that day. Hajime evaded the attention but kept growing steadily and breeding in silence.