National CSIRT-CY | National Computer Security Incident Response Team of Cyprus

Η Εθνική Ομάδα Αντιμετώπισης Ηλεκτρονικών Επιθέσεων προβλέπει την αύξηση της ηλεκτρονικής ασφαλείας ενισχύοντας την προστασία του κυβερνοχώρου των Εθνικών Κρίσιμων Πληροφοριακών Υποδομών, των τραπεζών και των παροχών επικοινωνίας της Κυπριακής Δημοκρατίας.

MĒRIS BOTNET (IoCs Included)

17 Σεπτεμβρίου 2021

In early September 2021 QRATOR labs published an article about a new wave of DDoS attacks, which are originating from a botnet involving MikroTik devices. 

As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched. 

There is no new vulnerability in RouterOS and there is no malware hiding inside the RouterOS filesystem even on the affected devices. The attacker is reconfiguring RouterOS devices for remote access, using commands and features of RouterOS itself. 

Unfortunately, closing the old vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create. 

We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.

There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several third parties.

Best course of action: 

  1. Keep your MikroTik device up to date with regular upgrades.
  2. Do not open access to your device from the internet side to everyone, if you need remote access, only open a secure VPN service, like IPsec.
  3. Use a strong password and even if you do, change it now!
  4. Don't assume your local network can be trusted. Malware can attempt to connect to your router if you have a weak password or no password.
  5. Inspect your RouterOS configuration for unknown settings (see below).

In collaboration with independent security researchers, we have found that there exists malware that attempts to reconfigure your MikroTik device from a Windows computer inside your network. This is why it's important to set a better password now (to avoid passwordless login or a dictionary attack by this malware) and to keep your MikroTik router upgraded (since this malware also attempts to exploit the mentioned CVE-2018-14847 vulnerabiliity which has long been fixed). 

Configuration to look out for and remove: 

  • System -> Scheduler rules that execute a Fetch script. Remove these. 
  • IP -> Socks proxy. If you don't use this feature or don't know what it does, it must be disabled. 
  • L2TP client named "lvpn" or any L2TP client that you don't recognize. 
  • Input firewall rule that allows access for port 5678. 

You can also block the following addresses, which these malicious scripts are connecting to:

Block these tunnel endpoint domains:

  • *.eeongous.com
    *.leappoach.info
    *.mythtime.xyz

 

Block these script download domains:

  • 1abcnews.xyz
    1awesome.net
    7standby.com
    audiomain.website
    bestony.club
    ciskotik.com
    cloudsond.me
    dartspeak.xyz
    fanmusic.xyz
    gamedate.xyz
    globalmoby.xyz
    hitsmoby.com
    massgames.space
    mobstore.xyz
    motinkon.com
    my1story.xyz
    myfrance.xyz
    phonemus.net
    portgame.website
    senourth.com
    sitestory.xyz
    spacewb.tech
    specialword.xyz
    spgames.site
    strtbiz.site
    takebad1.com
    tryphptoday.com
    wchampmuse.pw
    weirdgames.info
    widechanges.best
    zancetom.com

As reported by others on the internet, these domains are also used by the botnet:

  • bestmade.xyz
    gamesone.xyz
    mobigifs.xyz
    myphotos.xyz
    onlinegt.xyz
    picsgifs.xyz

 

The information contained in this website is for general information purposes only. The information is gathered from MikroTik Blog, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

ENISA: Cyber threats require heightened defences

#CyberSecMonth 2017 - Cyber Security in the Home