Preliminary analysis suggests that the botnet is exploiting known Mikrotik vulnerabilities (HTTP, SMB) as well as password brute-forcing. RouterOS is embedded in MikroTik’s RouterBOARD product line, focused on small- and medium-sized Internet access providers that typically provide broadband access in remote areas. RouterOS supported by MikroTik and its user community, providing a wide variety of configuration examples.
RouterOS is an operating system based on the Linux kernel, which implements functionalities normally used by ISPs, such as BGP, IPv6, OSPF or MPLS.
This is another event demonstrating the struggle for control between various bot-herders.įigure 1: Multiple MikroTik exploits are available on GitHub and other sites RouterOS Vulnerability The concern is that this new botnet will be leveraged to launch DDoS attacks. Radware is witnessing the spreading mechanism going beyond port 8291 into others and rapidly infecting other devices other than MikroTik (such as AirOS/Ubiquiti). It is believed this botnet is part of the Hajime botnet. Radware’s Emergency Response Team (ERT) has spotted an increase in malicious activity following Kaspersky’s publication about the Slingshot APT malware that infected Mikrotik routers. Such devices have been making unaccounted outbound winbox connections. MikroTik, a Latvian hardware manufacturer, products are used around the world and are now a target of a new propagating botnet exploiting vulnerabilities in their RouterOS operating system, allowing attackers to remotely execute code on the device.
Download a Copy Now AbstractĪ newly discovered botnet targets TCP port 8291 and vulnerable Mikrotik RouterOS-based devices. A newly discovered botnet targets TCP port 8291 and vulnerable Mikrotik RouterOS-based devices.
0 kommentar(er)
