Community discussions

MUM Europe 2020
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1335
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Slingshot APT

Fri Mar 09, 2018 10:16 pm

Update:
If you want to check if you are infected then you can use the Loki scanner:

GitHub page Neo23x0: https://github.com/Neo23x0/
Download Loki: https://github.com/Neo23x0/Loki/releases


Information from Mikrotik: viewtopic.php?f=2&t=131748&p=647104#p647661

Before doing that please read the complete thread!

I just read an article on a Dutch site how Mikrotik routers are compromised to spy on users. This goes with the help of Winbox lower than 3.12 and a modified DDL file loaded from the router with the name ipv4.dll, when Winbox starts.

Source:
https://www.security.nl/posting/553185/ ... rs+ontdekt

Kapersky PDF report with details:
https://s3-eu-west-1.amazonaws.com/khub ... _final.pdf

Update:
After reading more in the report Mikrotik states up to RouterOS version 6.38.4 was vulnerable for injecting unwanted software into a PC.

Translation from Dutch to English:

Anti-virus company Kaspersky Lab has detected a spy attack through hacked MikroTik routers that has made victims mainly in Africa and the Middle East. According to the virus fighter, it is an attack that is comparable in complexity to two previously discovered espionage attacks known as Regin and Sauron .

Slingshot, as the group behind the attack is called, uses compromised MikroTik routers to infect victims. MikroTik offers customers a program called WinBox to manage routers. This program, which is on the router, downloads a number of dll files from the router's file system and loads them directly into the computer's memory.

To infect administrators of MikroTik routers, the attackers have placed a malicious version of the dll file named ipv4.dll on the compromised routers. After being added, this dll file is downloaded and executed by WinBox. According to the researchers, this DLL is a Trojan downloader that installs additional malware on the system. How the attackers managed to hack the MikroTik routers and provide the malicious dll file is unknown.

What the researchers do know is that the dll file downloads various modules, including a kernel module and a user-mode module. These modules are designed to collect and steal data and keep the system compromised. To run code in kernel mode, Slingshot loads signed vulnerable drivers. Through the vulnerabilities in these drivers, the malware executes its own code. Because the code with kernel rights is executed, it has full control over the system and can hide itself for anti-virus software.

Cyber ​​espionage
The goal of Slingshot is cyber espionage. The research shows that the malware collects screenshots, keyboard data, network data, passwords, USB connections, desktop activity, the contents of the clipboard and other data and sends them back to the attackers. What is remarkable about the malware is that it disables the software for defragmenting the hard drive. Slingshot uses its own encrypted file system that can be in an unused part of the hard drive. When defragmenting the hard disk, data can be written to this part, which can damage the virtual file system.

According to Kaspersky Lab, Slingshot has been active since 2012 and is still operational. The anti-virus company has seen about 100 victims in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most victims are individuals rather than organizations, but various government organizations and institutions are also affected by the malware. Most victims were observed in Kenya and Yemen. MikroTik told Kaspersky Lab in a comment that the latest version of WinBox no longer downloads the ipv4.dll file to the computer, with which this attack vector is closed. In this report ( pdf ), Kaspersky Lab provides information and hashes of files and domains that the malware uses.
Last edited by msatter on Thu Mar 15, 2018 2:21 pm, edited 7 times in total.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
tippenring
Member Candidate
Member Candidate
Posts: 179
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Slingshot APT, RouterOS spying software

Fri Mar 09, 2018 11:46 pm

Here's a bleepingcomputer.com article on it: https://www.bleepingcomputer.com/news/s ... k-routers/
 
esquirrel
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Feb 21, 2018 3:04 pm

Re: Slingshot APT, RouterOS spying software

Fri Mar 09, 2018 11:50 pm

There is also a Wired article.

I can see why all wifi/router/switch devices would become targets..

Edit: also found Wired's "Kaspersky, Russia and the Antivirus Paradox". Also worth reading.
Last edited by esquirrel on Sat Mar 10, 2018 7:53 pm, edited 3 times in total.
 
User avatar
slimmerwifi
just joined
Posts: 13
Joined: Tue Aug 01, 2017 6:05 pm
Location: Netherlands

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 2:42 am

Would be lovely to receive an updated statement from Mikrotik on this.


We manage 50+ corporate wifi networks in the Netherlands using Mikrotik & Cloudcore equipment.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 9:02 am

The Wired article includes our comment and is pretty accurate. As far as we know, somebody exploited the already fixed chimayred vulnerability in open (no firewall) routers before we patched it in March 2017 (RouterOS v6.38.5). Upgrading RouterOS fixes the vulnerability and removes any malicious files.

Also worth noting, that Winbox no longer downloads any DLL files from your device anyway, since even before the above mentioned version.

Always keep your router up to date.

https://www.wired.com/story/router-hack ... 0-targets/
No answer to your question? How to write posts
 
alex_rhys-hurn
Member
Member
Posts: 319
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 11:07 am

Hi,

I am in Kenya, and have deployments of a few hundred devices, though most of them sit inside private MPLS WANs. As far as I know we have not been exposed to this. How do I know if I have? By reading the Kaspersky report, it seems that even if I sort out the router, the issue still remains on any windows machines already exploited. Have I understood this correctly?

In all our cases our devices were up to date, but part of Normis comment makes me wonder:
Normis: "exploited the already fixed chimayred vulnerability in open (no firewall) routers"

My questions is what firewalling is required to prevent the exploit? Is it simply blocking / preventing winbox port 8291 (or whatever custom port is defined) from outside? Or are there other known entry points for the exploit that we need to firewall against?

I look forward to some advice.

Thanks,

Alex
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 11:21 am

Simply upgrading your RouterOS device will make sure nothing can be installed into it and will remove any rogue files.

The vulnerability exploited open port 80 from Internet side. Don’t leave any open ports on the input chain unless you limit access to your own IP.

Also having some sort of antivirus in your windows machine will remove any residual DLL files, if Kaspersky already says they have identified it.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1335
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 12:29 pm

Simply upgrading your RouterOS device will make sure nothing can be installed into it and will remove any rogue files.

The vulnerability exploited open port 80 from Internet side. Don’t leave any open ports on the input chain unless you limit access to your own IP.

Also having some sort of antivirus in your windows machine will remove any residual DLL files, if Kaspersky already says they have identified it.
Simply upgrading easy said but users can have reasons to stay on a version that works for them.

Maybe implement very restrictive setting as default and not just as default firewall rules but as hard setting that can disabled/enabled like services.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 12:46 pm

Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicated".

I have "complicated" configs and I've updated to the 6.41+ versions which meant I had to do a lot more with my configs than going from 6.38.x to 6.40.x.
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1335
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 1:51 pm

Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicated".

I have "complicated" configs and I've updated to the 6.41+ versions which meant I had to do a lot more with my configs than going from 6.38.x to 6.40.x.
It is not that the configs are complicated. In my case it is the performance dropping under lpt2/ipsec in the new bridge implementation. I will have to wait until this is solved.

Then it is wise to learn from errors and learn from them to avoid current and new errors.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
slimmerwifi
just joined
Posts: 13
Joined: Tue Aug 01, 2017 6:05 pm
Location: Netherlands

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 4:20 pm

Simply upgrading your RouterOS device will make sure nothing can be installed into it and will remove any rogue files.

The vulnerability exploited open port 80 from Internet side. Don’t leave any open ports on the input chain unless you limit access to your own IP.

Also having some sort of antivirus in your windows machine will remove any residual DLL files, if Kaspersky already says they have identified it.
Thanks, this is clear.



We manage 50+ corporate wifi networks in the Netherlands using Mikrotik & Cloudcore equipment.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 4:27 pm

Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicated".

I have "complicated" configs and I've updated to the 6.41+ versions which meant I had to do a lot more with my configs than going from 6.38.x to 6.40.x.
It is not that the configs are complicated. In my case it is the performance dropping under lpt2/ipsec in the new bridge implementation. I will have to wait until this is solved.

Then it is wise to learn from errors and learn from them to avoid current and new errors.
Issue was solved long before new bridge
No answer to your question? How to write posts
 
esquirrel
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Feb 21, 2018 3:04 pm

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 8:02 pm

For non-experts, how can somebody test that the vulnerability isnt there? Has Winbox particularly ever been audited?
When I launch winbox under wine it seems to be loading plugins and also the wine log (or window if its been launched from a shell) keeps repeating "IPV6_ADD_MEMBERSHIP:" (string) even though IPv6 has been disabled on all the linux machines on the network which is to say everything besides the router.

I think my first few launches of winbox were before the current version. Is there some simple way somebody can check for the presence of whatever files are involved by name or hex signature?

Their report gives hex signatures, presumably for their own products? Can they be used with some other scanning method?
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1335
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 8:08 pm

Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicated".

I have "complicated" configs and I've updated to the 6.41+ versions which meant I had to do a lot more with my configs than going from 6.38.x to 6.40.x.
It is not that the configs are complicated. In my case it is the performance dropping under lpt2/ipsec in the new bridge implementation. I will have to wait until this is solved.

Then it is wise to learn from errors and learn from them to avoid current and new errors.
Issue was solved long before new bridge
I know that and I was anticipating for the next one that is certainly to come.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
R1CH
Forum Veteran
Forum Veteran
Posts: 907
Joined: Sun Oct 01, 2006 11:44 pm

Re: Slingshot APT, RouterOS spying software

Sat Mar 10, 2018 8:29 pm

Look, you guys cannot ask Mikrotik to fix a problem they already fixed a *year ago* and then complain the solution of upgrading is off the table because you need to sit on a 12 month or older version of RouterOS that you can't take the time to update properly because your config is "complicated".

I have "complicated" configs and I've updated to the 6.41+ versions which meant I had to do a lot more with my configs than going from 6.38.x to 6.40.x.
It is not that the configs are complicated. In my case it is the performance dropping under lpt2/ipsec in the new bridge implementation. I will have to wait until this is solved.

Then it is wise to learn from errors and learn from them to avoid current and new errors.
Issue was solved long before new bridge
Can you elaborate on how this was solved? This particular exploit was fixed, but are there any measures in place to prevent this happening again? Does winbox now verify the files downloaded from the router with a digital signature? Are all the files now client-side?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software

Sun Mar 11, 2018 10:33 am

Winbox no longer downloads anything from the router (if using new winbox and new RouterOS). Also, the router now checks all internal file signatures itself.
No answer to your question? How to write posts
 
R1CH
Forum Veteran
Forum Veteran
Posts: 907
Joined: Sun Oct 01, 2006 11:44 pm

Re: Slingshot APT, RouterOS spying software

Sun Mar 11, 2018 6:07 pm

Winbox no longer downloads anything from the router (if using new winbox and new RouterOS). Also, the router now checks all internal file signatures itself.
That's good to hear. The self-integrity check seems a bit pointless though, if the device is exploited an attacker could easily bypass or disable such a feature.

I hope work is also being made to enable host verification for winbox connections, since in its current form it is vulnerable to a MITM attack.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software

Mon Mar 12, 2018 8:36 am

For non-experts, how can somebody test that the vulnerability isnt there? Has Winbox particularly ever been audited?
When I launch winbox under wine it seems to be loading plugins and also the wine log (or window if its been launched from a shell) keeps repeating "IPV6_ADD_MEMBERSHIP:" (string) even though IPv6 has been disabled on all the linux machines on the network which is to say everything besides the router.

I think my first few launches of winbox were before the current version. Is there some simple way somebody can check for the presence of whatever files are involved by name or hex signature?

Their report gives hex signatures, presumably for their own products? Can they be used with some other scanning method?
If Winbox is downloading DLL files, it means your device hasn't been upgraded and you are running an outdated Winbox version. Please upgrade both RouterOS and Winbox.
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software

Mon Mar 12, 2018 8:37 am

Another thing to note. This "malware" did not spread. It was installed manually to very specific targets, through a now-closed vulnerability. They have discovered only a handful affected devices.
No answer to your question? How to write posts
 
ds12345
just joined
Posts: 18
Joined: Mon Mar 12, 2018 12:08 pm

Re: Slingshot APT, RouterOS spying software

Mon Mar 12, 2018 12:10 pm

Winbox no longer downloads anything from the router (if using new winbox and new RouterOS). Also, the router now checks all internal file signatures itself.
Hi, from which version of Winbox specifically does not download anything from RouterOS?

Many thanks
 
ds12345
just joined
Posts: 18
Joined: Mon Mar 12, 2018 12:08 pm

Re: Slingshot APT, RouterOS spying software

Mon Mar 12, 2018 12:43 pm

Hello, can you please confirm which version of Winbox (Pre 3.12) will be affected?

Thanks
 
Amazas
just joined
Posts: 16
Joined: Wed Oct 15, 2014 11:51 pm

Re: Slingshot APT, RouterOS spying software

Mon Mar 12, 2018 11:17 pm

Hey Mikrotik! Instead of having this "higher than though" attitude toward users that are very concerned about this exploit that could cause very serious damage to people (identity theft, loss of job, etc), how about you APOLOGIZE for this because it is YOUR FAULT and can be considered GROSS NEGLIGENCE on your part!

How about you provide any help you can to your existing user base such as a scanner for Windows that can detect if you have been infected and free support for anyone that is having issues upgrading to the latest versions of RouterOS and Winbox?

When I came to your site after finding out about this exploit, I was expecting to see a large banner on the home page describing what happened, how it was fixed, and what users need to do to because of this. Instead, I actually had to search for this issue in the forums!? Even worse, it sounds like the issue was fixed over a year ago, but nothing was mentioned about it in any newsletter or email I received from you.

Get your stuff straight or you may just find yourselves out of business due to a combination of a class-action lawsuit and people switching to alternatives such as Ubiquiti Edge devices.

So, that being said, what can I do to find out if I have been infected with this exploit? When I try upgrading to the latest version, my L2TP tunnels are so slow they are practically unusable... can you help or provide a version that is not exploited but does not have this performance issue?
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1335
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Slingshot APT, RouterOS spying software NOT

Mon Mar 12, 2018 11:39 pm

Did you check if you ever had that RouterOS version (6.38.4-6.38.5) on your router in combination with Winbox by checking the c:/users/...../roaming/Mikrotik/Winbox directory.
Last edited by msatter on Tue Mar 13, 2018 12:43 am, edited 2 times in total.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 913
Joined: Tue Oct 11, 2005 4:53 pm

Re: Slingshot APT, RouterOS spying software

Mon Mar 12, 2018 11:52 pm

Even worse, it sounds like the issue was fixed over a year ago, but nothing was mentioned about it in any newsletter or email I received from you.
This WAS mentioned when it was fixed a year ago.

Release 6.38.5 2017-03-09

What's new in 6.38.5 (2017-Mar-09 11:32):

!) www - fixed http server vulnerability;
If you don't read the changelogs or even worse you don't update your router a YEAR after this fix, it's in no way Mikrotik's fault.
If anyone can be blamed for 'GROSS NEGLIGENCE' (LMAO :lol: ) are the users that do not update their software/hardware.

I agree that some times Mikrotik staff can come off a little bit arrogant, but when it comes to ROS security, their track record is pretty good.
The last 13 years that I've been using ROS I remember only a handful security issues which all of them were addressed immediately by Mikrotik.
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1335
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Slingshot APT, RouterOS spying software NOT

Mon Mar 12, 2018 11:59 pm

On this site you can find the signatures and a Python program to scan. I did not test out and searched for it after the posting of Amazas.

https://github.com/Neo23x0/signature-base
Last edited by msatter on Tue Mar 13, 2018 12:43 am, edited 1 time in total.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
Amazas
just joined
Posts: 16
Joined: Wed Oct 15, 2014 11:51 pm

Re: Slingshot APT, RouterOS spying software NOT

Tue Mar 13, 2018 12:42 am

Thanks msatter for the link! I will give it a try.

So ChaOs you feel that "www - fixed http server vulnerability" is an appropriate explanation of the severity of this exploit? When I read something like that, my first thought is that I am not using an http server on or off the Mikrotik so it does not affect me.

Whenever I have read the changelogs for the updated OS I have not seen anything that would affect me or would benefit me.

Ever heard of "if it ain't broke, don't fix it!"?

From what I have known up to this point, nothing in the version of the RouterOS that I am using was broke!

I manage all sorts of systems and I get notified about all of the vulnerabilities for Windows, Windows Software, Linux, Apple, Android, and many others. I subscribe to many different security sites and I am used to detailed explanations of reasons to patch systems so I can determine whether or not to proceed. Many times I hold off until I hear from others whether or not these "fixes" end up causing other issues including security and performance.

Long story short, my main issue with what has happened here is that I am under the impression, based on what I have read, that Mikrotik was aware of this exploit and quietly patched their systems without letting their users know how serious this exploit is and how vitally important it is to move to at least Release 6.38.5 to fix it. I have been a big supporter of Mikrotik for a long time now and have raved and marveled at how easy it is to configure (especially with Winbox) and how powerful and flexible it is. Getting the news from a source like Kaspersky, who I don't trust anymore due to their own vulnerabilities or collusion with Russia (still on the fence about which one it is) instead of directly from Mikrotik is like a punch in the gut.

I have said all I am going to say about this. Thanks again to msatter for bringing this up in the forum and sending me a link to check my own systems!
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1335
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Slingshot APT, RouterOS spying software NOT

Tue Mar 13, 2018 12:55 am

Thanks msatter for the link! I will give it a try.

So ChaOs you feel that "www - fixed http server vulnerability" is an appropriate explanation of the severity of this exploit? When I read something like that, my first thought is that I am not using an http server on or off the Mikrotik so it does not affect me.

Whenever I have read the changelogs for the updated OS I have not seen anything that would affect me or would benefit me.

Ever heard of "if it ain't broke, don't fix it!"?

From what I have known up to this point, nothing in the version of the RouterOS that I am using was broke!

I manage all sorts of systems and I get notified about all of the vulnerabilities for Windows, Windows Software, Linux, Apple, Android, and many others. I subscribe to many different security sites and I am used to detailed explanations of reasons to patch systems so I can determine whether or not to proceed. Many times I hold off until I hear from others whether or not these "fixes" end up causing other issues including security and performance.

Long story short, my main issue with what has happened here is that I am under the impression, based on what I have read, that Mikrotik was aware of this exploit and quietly patched their systems without letting their users know how serious this exploit is and how vitally important it is to move to at least Release 6.38.5 to fix it. I have been a big supporter of Mikrotik for a long time now and have raved and marveled at how easy it is to configure (especially with Winbox) and how powerful and flexible it is. Getting the news from a source like Kaspersky, who I don't trust anymore due to their own vulnerabilities or collusion with Russia (still on the fence about which one it is) instead of directly from Mikrotik is like a punch in the gut.

I have said all I am going to say about this. Thanks again to msatter for bringing this up in the forum and sending me a link to check my own systems!
Did you check if you ever had that RouterOS version (6.38.4-6.38.5) on your router in combination with Winbox by checking the c:/users/...../roaming/Mikrotik/Winbox directory.

Mikrotik got a lot of time to address it and this publication was much later.

There have been some earlier threads about probably this exploit and the was pressure from users to up the security and Mikrotik made improvements in the past time. Karspersky is maybe not the most trustworthiness firm but then the others have made also some cock-ups. You have to stay open to every input/information and you have to judge it on it merits and search for you own for confirmation and second opinions.

The changelogs are often difficult to read even if you keep up with the threads but then we are free to ask for a clarification.

update: the Loki software is easy to use and you can exclude directories in the config file. It retrieves its hashes on start-up and you have to run it in Administror mode to scan all.

I had a indicator for Carbanak APT in the 7za.exe file with SABNZB so I replaced that with the latest from the 7z1803-extra.7z file, just to be certain. The indicator (IOC) is an alert that maybe the file was in contact with the malware so replacing is wise.

I use virustotal.com to see how serious and what others are writing about that specific file.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
mt99
newbie
Posts: 25
Joined: Wed Jan 03, 2018 6:07 pm

Re: Slingshot APT, RouterOS spying software NOT

Tue Mar 13, 2018 3:41 am

I manage all sorts of systems and I get notified about all of the vulnerabilities for Windows, Windows Software, Linux, Apple, Android, and many others. I subscribe to many different security sites and I am used to detailed explanations of reasons to patch systems so I can determine whether or not to proceed.
I agree that it's harder to find this information for Mikrotik than it should be. Would anyone else like to see a forum topic that's dedicated to security? It would be something easy for Mikrotik to do, and it'd be good to have a central place where security questions and answers could be found.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 913
Joined: Tue Oct 11, 2005 4:53 pm

Re: Slingshot APT, RouterOS spying software NOT

Tue Mar 13, 2018 3:42 am

Whenever I have read the changelogs for the updated OS I have not seen anything that would affect me or would benefit me.

Ever heard of "if it ain't broke, don't fix it!"?
Well I am sorry to break it to you but... that sounds like your problem.

The changelog DID mention a VULNERABILITY. So it WAS broken. So it was YOUR responsibility to update YOUR router. You had twelve (12) months up until Kaspesky made a fuss about a year old fixed vulnerability with only about a hundred (apparently targeted) infections. To me that's just silly. It's nowhere near anything serious. Plus, Kaspersky's own paper shows infections on routers running v5.20 (most likely the chinese cracked/backdoored release). Which means that whoever got infected was running cracked software that's almost a decade old. In other words they were asking for it.
The 'if it ain't broke, don't fix it' mentality is no longer applicable to today's society where from your laptop to your vacuum cleaner everything is connected to the internet. If you can't/don't keep up then leave it to some professional and do something else.

By the way, sorry, but If you don't use HTTP then why are you complaining about it? The vulnerability did not affect you. What's the problem then?
If you don't trust proprietary software or if you don't like the way Mikrotik handles stuff, you can always switch to another vendor or to an opensource solution. Nobody forces us to give our money to Mikrotik. Mikrotik has many issues and we complain all the time, but again - security is not one of them. They always address security issues on time (I mean real security issues, not "tech" journalists FUDs that the closest they've ever been to a router is the D-Link that their ISP gave to them :lol: ).

Also, nothing was quiet about it. Just because you don't (seem to) follow the forum, it doesn't mean that there wasn't an extended discussion back then about this vulnerability.
Here's the official announcement that Mikrotik has as a sticky thread for MONTHS. If you had bothered to read any forum category it would have been on the top.
viewtopic.php?f=21&t=119308
This was posted on March 8th. The very next day there was a patch fixing the vulnerability.
viewtopic.php?f=21&t=119302

If you don't like the one-line changelog descriptions you can watch the forum. They ALWAYS create a new thread for each new release. And almost always on vague messages like that there's a swarm of people asking for clarifications. At the end of the day, if you are too classy to post to a community forum and you want "proper" support, you could have always sent a ticket to support@mikrotik.com to ask for clarifications. Which obviously you did neither.

Again. All the things you mention are your problem. Mikrotik patched the vulnerability a year ago. You have NO excuse. Period.

Oh, one last thing, why on earth would Mikrotik release a scanner for windows? Since when did they get into the antivirus business? :P
RouterOS and Winbox were just the delivery method for the payload. It could easily have been a wordpress site with a zeroday JS exploit delivering the same payload. Would you expect wordpress.org to release a 'windows scanner'?
Especially a whole year AFTER the patch was released with 14 releases since then?! :lol: :lol:
 
Amazas
just joined
Posts: 16
Joined: Wed Oct 15, 2014 11:51 pm

Re: Slingshot APT, RouterOS spying software

Tue Mar 13, 2018 5:17 am

ChaOss defend it all you want. We will just have to agree to disagree. Mikrotik sells a firewall product in the security space. I buy their product for the fact it is not open source and I just have higher expectations from them than you.
 
Amazas
just joined
Posts: 16
Joined: Wed Oct 15, 2014 11:51 pm

Re: Slingshot APT, RouterOS spying software

Tue Mar 13, 2018 5:50 am

Mt99 I think your idea is a good one. I am hoping that following a single forum topic on security would allow us to be notified via email in a timely manner.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software  [SOLVED]

Tue Mar 13, 2018 8:43 am

The core mechanism was actually fixed a lot longer than that. Winbox v3 never downloaded any DLL files from the router since 2014, when it was first released. Only using old Winbox v2 would download the DLL file. It is very important you only use Winbox v3, no matter which RouterOS version you have.

The issue described by Kaspersky consists of two parts:

1) Winbox downloaded some DLL file from a router = Winbox v3 never downloads any DLL files since 2014. It does not download any DLL files from any RouterOS version. Do not use old version 2 Winbox is the safest solution.
2) How the DLL file found it's way into the router in the first place. This is unclear. Many devices lack passwords and firewalls, as we saw recently with a script that attackers use on open devices. We did have a www server vulnerability and fixed it a year ago, if this was the point of entry, it is long fixed (march 2017).

What Kaspersky found is not something new that MikroTik has to fix now. Winbox was already updated in 2014. They discovered the virus only now, this is why it is in the news.

TLDR: You were always safe if you use Winbox v3. Upgrade your RouterOS machine to close a year old www vulnerability, even if it may have not been related to this at all.
No answer to your question? How to write posts
 
ds12345
just joined
Posts: 18
Joined: Mon Mar 12, 2018 12:08 pm

Re: Slingshot APT, RouterOS spying software

Tue Mar 13, 2018 11:54 am

Hi, is it all of Winbox version 2 that downloads dll files?

Is there a specific version of v2 this was changed?

Please can you clarify this.

Thanks
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software

Tue Mar 13, 2018 12:02 pm

Hi, is it all of Winbox version 2 that downloads dll files?

Is there a specific version of v2 this was changed?

Please can you clarify this.

Thanks
Winbox v2 needs DLL files from RouterOS to work. This was it's design. This is normal and harmless. Somebody found a way, to replace one of the legtitimate DLL files with a malicious one. This is not an issue with Winbox v3 which never used any DLL files for it's operation.
No answer to your question? How to write posts
 
Amazas
just joined
Posts: 16
Joined: Wed Oct 15, 2014 11:51 pm

Re: Slingshot APT, RouterOS spying software

Tue Mar 13, 2018 3:51 pm

Hi Normis,

Thanks for the further explanation... it helps alot.

Is there a list that concentrates on security and describes security issues in detail that we can subscribe to? The detail I am referring to is like the detail in your last couple of posts.

I, for one, would prefer to leave versions where they are if everything I am using is working nicely... but I certainly would pay much greater attention to any messages from a list like this.

Thanks again!
 
doush
Long time Member
Long time Member
Posts: 625
Joined: Thu Jun 04, 2009 3:11 pm

Re: Slingshot APT, RouterOS spying software

Tue Mar 13, 2018 10:18 pm

Why Mikrotik doesnt make native Winbox App for Linux and rescue us of all this crap ?
Isnt it the time yet ?
 
105547111
Member Candidate
Member Candidate
Posts: 132
Joined: Fri Jun 22, 2012 9:46 pm

Re: Slingshot APT, RouterOS spying software

Tue Mar 13, 2018 10:34 pm

Why Mikrotik doesnt make native Winbox App for Linux and rescue us of all this crap ?
Isnt it the time yet ?
Now were talking :-)..

Even baby steps - A proper 64 bit native winbox that way it runs under wine64 as redhat 7 / centos 7 are all pure 64 bit no 32 bit libraries.

I'm forced to run a windoze vm :-( urk
 
esquirrel
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Feb 21, 2018 3:04 pm

Re: Slingshot APT, RouterOS spying software

Tue Mar 13, 2018 11:51 pm

I would prefer to not have to run Wine at all in a context like this. This is an all-important issue. Security is the #1 thing with a device like a router. And actually, I prefer open source products with no binary blobs. All the convenience is nice but at the end of the day what matters the most is the combined picture with security being about 90% of it. I would rather have a secure but dumb device with practically no functionality outside of its core mission than the most feature-laden device out there. Bells and whistles easily translate into security problems.

one thing that bothers me, I have only been using your products for around a month, and I downloaded Winbox 3.11 and was using it. Why was the known to be insecure winbox still there a month ago, if you knew about it a year ago? And even though I have installed 3.12, it still throws up a message about downloading something when its launched. Although I completely de-installed and reinstalled Wine, it still is doing it. WTF?

What I would like is some specific information about the files this exploit creates and uses and how they got there, and how to remove every sign of them.. What is called for is a complete disclosure of what might have been compromised. Otherwise I have to set up a VM for it, probably a good idea anyway, at this point. But what a PITA.

There should be a native Linux management utility that is open source. A web browser could do this. But, strangely, now it seems the Router OS I am running does not allow https web management from the inward-facing interface I am using. Even when I have turned it on on the server side. Probably some misconfiguration on my part. I will try that again.

Also, this was immediately problematic- the wireless should be off at the beginning by default.
If you have to reset the box the state it wakes up in shouldn't be inherently insecure.
Maybe its WAN port, its external facing wired interface should be off too, until the customer has it set up to their satisfaction and turns it on.

All that said, for the money they are still a good deal, if they are secure, and can be verified to be so.

From a business standpoint, if I was Mikrotik, I would treat this as an opportunity to do a really stellar job of both responding to the community's concerns and educating us as to proper practices. You're about 80% of the way there. Right now your documentation leaves a great deal to be desired. It taking a long time to figure out how to do things because the information is not representative of any point in time. A great mant times Ive attempted to try one configuration only to find that it was no longer applicable to my hardware or version.

Please fill in the blanks.

How did all those people get compromised and is there any chance that the offending files were on all your machines, or that was some problem with your software supply chain from you to the customer?

Updating hardware over the web is a major security hole if its vulnerable. There it is smart not to try to reinvent the wheel. Maybe better to not allow so many internet specific ways to do things and instead focus on the best one or two that ensure the security of the updates.
 
tippenring
Member Candidate
Member Candidate
Posts: 179
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Slingshot APT, RouterOS spying software

Wed Mar 14, 2018 12:27 am

one thing that bothers me, I have only been using your products for around a month, and I downloaded Winbox 3.11 and was using it. Why was the known to be insecure winbox still there a month ago, if you knew about it a year ago? And even though I have installed 3.12, it still throws up a message about downloading something when its launched. Although I completely de-installed and reinstalled Wine, it still is doing it. WTF?
Read the entire thread. I think between the articles and Normis's explanation, that should cover most of what you brought up. I'm not going to repeat what's already been said.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 913
Joined: Tue Oct 11, 2005 4:53 pm

Re: Slingshot APT, RouterOS spying software

Wed Mar 14, 2018 10:52 am

There should be a native Linux management utility that is open source.
But there is.

It's called SSH.

You can access and manage/configure any RouterOS installation by these five methods:

-WinBox (desktop windows App)
-WebFig (Web based control panel with and without SSL) - if you can't access it it's 100% a configuration issue on your part.
-SSH (secure)
-Telnet (insecure)
-API (with and without SSL)

Four out of those five options can be accessed with 100% open source software.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software

Wed Mar 14, 2018 1:01 pm

esquirrel please read my posts above. There is NO insecure Winbox v3. Winbox v3 was released in 2014. Even if somebody was using a really old Winbox v2, they still had to have an unsecured RouterOS device so that somebody could compromise it (firewall had to be removed). This is why they found bnly 120 affected machines since 2012. This is not a lot, and you are most probably not under any risk, especially if you upgraded within the last 4+ years.
No answer to your question? How to write posts
 
eXS
newbie
Posts: 43
Joined: Fri Apr 14, 2017 4:01 am

Re: Slingshot APT, RouterOS spying software

Thu Mar 15, 2018 2:01 am

I can't be finding out about these issues by word of mouth or because it shows up on a news feed somewhere.

Why doesn't Mikrotik have a site that actively lists established security concerns?

People can't be expected to find this forum, this thread & drill halfway down through posts to find answers.

Also, some of the back & forth (not just here) is an embarrassment. To be clear, I'm not asking for moderation.

Now would be a great time to establish a specific section of the site that can be checked & relied upon for security related responses.
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 627
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Slingshot APT, RouterOS spying software

Thu Mar 15, 2018 1:54 pm

I can't be finding out about these issues by word of mouth or because it shows up on a news feed somewhere.

Why doesn't Mikrotik have a site that actively lists established security concerns?

People can't be expected to find this forum, this thread & drill halfway down through posts to find answers.

Also, some of the back & forth (not just here) is an embarrassment. To be clear, I'm not asking for moderation.

Now would be a great time to establish a specific section of the site that can be checked & relied upon for security related responses.
+1

Sent from Tapatalk

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Slingshot APT, RouterOS spying software

Mon Mar 19, 2018 1:30 pm

I can't be finding out about these issues by word of mouth or because it shows up on a news feed somewhere.
Even with such a site, this news would have been a security concern back in 2014 when Winbox was patched. How would that help in this situation?
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1335
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Slingshot APT, RouterOS spying software

Mon Mar 19, 2018 2:22 pm

I can't be finding out about these issues by word of mouth or because it shows up on a news feed somewhere.
Even with such a site, this news would have been a security concern back in 2014 when Winbox was patched. How would that help in this situation?
Yes, because I would first have checked if this was already information and maybe Mikrotik could also been able to published a way to find out if you where a victim in then.

Now we had collect the information instead of having a trustable place where all information is present.

When you have solved the problem before the disclosure by a third party then you don't have to wait but it would be nice to coordinate it with them.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)

Who is online

Users browsing this forum: MSN [Bot] and 130 guests