As many of you are aware, there is an ongoing attempt to take down Trickbot, the ransomware-as-a-service botnet. This effort started with the US National Security Administration and Microsoft. (It appears that NSA and MS were not coordinating their efforts and that NSA started while MS wasn’t ready yet, so MS launched their campaign earlier than they wanted, but that’s just my opinion).
All Mikrotik routers should be running 6.47.4 [stable], 6.46.6 [long-term], or 7.0beta6 [testing] due to CVE-2020-11881.
Assume your credentials are compromised. Change all credentials (admin, VPN, etc, that allow access to privileged organizational resources) for publicly-accessible Mikrotik devices. See https://blog.mikrotik.com/security/winbox-vulnerability.html for how credentials were compromised prior to the April 23 2018 releases in versions 6.30.1 to 6.40.7, (fixed in 6.40.8), 6.29 to 6.42 (fixed in 6.42.1, and 6.29rc1 to 6.43rc3 (fixed in 6.43rc4). These credentials were harvested and saved for later use with no indication of compromise. That is what the Trickbot malware operators are using.
Enter your public IP into the search form field and press the magnifying glass. It will tell you what ports are open there and how far it could get trying to connect to them.
Without an account, you’ve got just a few queries per day.
That isn’t at all obvious. I just ran a search with an incognito browser and not logged in to Shodan and didn’t have a problem.
The point of the post is to raise awareness that the Trickbot ransomware group is using compromised Mikrotik devices as C2 servers. All of the essential information is contained in the post itself. Explaining how to use a particular website is beyond the scope of the post.
The statement to check public IP allocations that you manage is a recommendation to help you protect both the infrastructure that you manage, and the rest of the internet. There are many other services like Shodan that allow you to do similar research. You aren’t required to use them, but validating exposure is part of good network security strategy, so I recommend it.
I’m afraid this statement is valid even without the “AND has it exposed to Internet” part… I suppose the vulnerability was being exploited from the LAN side, from an infected PC, to harvest the credentials, and the credentials are now used to access the Mikrotik from WAN side via any management service (Winbox, https, ssh) eventually listening at WAN.
Unfortunately that is inconclusive. The CVE says “6.41.3 through 6.46.5, and 7.x through 7.0 Beta5” which would potentially include 6.46.1. Unfortunately I’ve never seen MT publish their software development hierarchy so I’m not sure. Additionally, they haven’t posted any further details at https://blog.mikrotik.com/security.
I realize not many of us enable or allow SMB (I would hope no one, but I’m a realist), but the fact that the attack doesn’t require authentication causes me concern that there might be some other part of the code reused elsewhere, and it just hasn’t been discovered yet.
