Community discussions

 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

New wave of Winbox vuln. attacks

Mon Aug 27, 2018 7:19 pm

There is currently another wave of attacks on RouterOS under way across US/EU address space.
This attack utilizes the Winbox vuln. that has been patched in April this year.

The current wave of attacks is very similar to the mass-exploitation of routers across Brazil earlier this month.
This time tho, it is being performed against the US/EU address space.

This particular wave of attacks focuses on DNS hijacking, and then traffic redirection of the end-user devices.

This is just a PSA post to make sure your network is protected.
PLEASE make sure your MikroTiks are properly secured (firewall, ACLs on administrative interfaces, etc.)
PLEASE make sure you are running latest RouterOS versions in your network.

Default configurations of RouterOS are NOT affected - in order to be affected by this, you need to have the Winbox service exposed publicly.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: New wave of Winbox vuln. attacks

Tue Aug 28, 2018 1:56 pm

As an update to this, it seems there are currently 2 active variants of attacks:

Version 1:
Very similar to the attacks on Latin America earlier this month, but executed across the US/EU.
This variant modifies SOCKS, and pulls updates using a 'mikrotik.php' file that is downloaded using scripts and scheduler.

Here is an article on how to remediate this variant of the attacks:
https://unimus.net/blog/validating-secu ... -wide.html

Version 2:
This variant seems new.
It hijacks DNS and also uses a DNS redirect in NAT to force clients behind the router to the hijacked DNS.
Along with this, it also does SOCKS and web-proxy.
If anyone has more information about this variant, please share more.
Last edited by tomaskir on Tue Aug 28, 2018 2:25 pm, edited 1 time in total.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: New wave of Winbox vuln. attacks

Tue Aug 28, 2018 2:24 pm

This will just continue until everybody has updated his router and config.
Experience with Windows vulnerabilities shows that this can well take a decade.
 
flynno
Member Candidate
Member Candidate
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: New wave of Winbox vuln. attacks

Tue Aug 28, 2018 3:12 pm

I think I fell victim to this attack yesterday, my clients had problems watching netflix and appeared to have two IP addresses.
One IP was fake and one was the real IP address. Netflix reported the IP as using a proxy or VPN and denied the clients access.

My main router was breached before because of the previous attack, I upgraded router to bugfix, changed passwords, allow winbox only from support IP's, disabled scripts and socks along with enabling all drop rules that had been disabled. The one thing I didn't do was change the IP of the router, that's done now and everything has resumed to normal for now anyway, fingers crossed
 
mistry7
Forum Guru
Forum Guru
Posts: 1330
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: New wave of Winbox vuln. attacks

Tue Aug 28, 2018 9:32 pm

I think I fell victim to this attack yesterday, my clients had problems watching netflix and appeared to have two IP addresses.
One IP was fake and one was the real IP address. Netflix reported the IP as using a proxy or VPN and denied the clients access.

My main router was breached before because of the previous attack, I upgraded router to bugfix, changed passwords, allow winbox only from support IP's, disabled scripts and socks along with enabling all drop rules that had been disabled. The one thing I didn't do was change the IP of the router, that's done now and everything has resumed to normal for now anyway, fingers crossed
You better apply working firewall instead of changing up addresses......
 
flynno
Member Candidate
Member Candidate
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: New wave of Winbox vuln. attacks

Wed Aug 29, 2018 12:46 am

Hey Mistry7, have you any rules that I can use to prevent this from happening?
 
Pea
Member Candidate
Member Candidate
Posts: 191
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: New wave of Winbox vuln. attacks

Wed Aug 29, 2018 1:14 am

 
Okietim
just joined
Posts: 15
Joined: Tue Feb 14, 2017 9:54 pm
Location: Oklahoma

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 5:19 am

I've received in log "warning denied winbox/dude connect from x.x.x.x".
I have a firewall rule I thought would drop it, but I don't see the packet count change and I'm still getting warning message.
Should I be concerned?

Image
Image
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment="Allow only lan to router" log-prefix=\
    "Allow lan to router" src-address-list=Allowed_to_router
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,new,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="Winbox on WAN" dst-port=8291 \
    in-interface=ether1 log=yes log-prefix="winbox on wan " protocol=tcp
add action=drop chain=input comment="Drop everything remaining"
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 8:23 am

...I have a firewall rule I thought would drop it, but I don't see the packet count change and I'm still getting warning message....
If you are testing it relatively quickly, It is possible that connection is still among tracked, therefore gets accepted. Unfortunately I dont know why would it get allowed in first place unless you had some very different rules earlier.
Currently your firewall seems correctly done with approach "allow whats needed, drop anything else" so you actually don't need the specific drop connection for winbox unless you want to make exception: You may move it on top of all others (before first input rule) and that will refuse all packets (including already tracked and enabled connections) coming to winbox port from WAN.

If you still don't see packet count increasing, then something weird is happening (Personally I would guess you are not connecting to Ether1 - maybe you have some PPPoE or some different tunnel as WAN?)
 
sid5632
Member
Member
Posts: 353
Joined: Fri Feb 17, 2017 6:05 pm

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 10:10 am

Why have you got "new" in this:
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,new,untracked
It certainly wasn't put there by "defconf" so you must have done it. Take it out!
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 12:51 pm

Indeed, the issue will be in accepting "new" state connections in rule no.3.
As pointed out by sid5632, this is something that was modified from the default configuration, and that is why you are seeing Winbox login attempts from the internet.

Fixing that rule (remove the "new" connection state) is a good start to fix this.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
Okietim
just joined
Posts: 15
Joined: Tue Feb 14, 2017 9:54 pm
Location: Oklahoma

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 2:30 pm

Thanks sid5632 and tomaskir!

Have removed "new" as noted.

Should untracked also be removed as it appears not to be part of defconf as well?
 
sid5632
Member
Member
Posts: 353
Joined: Fri Feb 17, 2017 6:05 pm

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 3:11 pm

Should untracked also be removed as it appears not to be part of defconf as well?
No. Untracked is part of defconf. Read the comment!
 
Okietim
just joined
Posts: 15
Joined: Tue Feb 14, 2017 9:54 pm
Location: Oklahoma

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 4:20 pm

Thanks sid5632!
I seem to recall there is a way to view the default configuration, but have failed to locate how to do it.
Could you point me in the right direction?
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 4:24 pm

I seem to recall there is a way to view the default configuration, but have failed to locate how to do it.
Could you point me in the right direction?

You can print out the default configuration using:
/system default-configuration print
Last edited by tomaskir on Thu Aug 30, 2018 4:24 pm, edited 2 times in total.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
mkx
Forum Guru
Forum Guru
Posts: 3223
Joined: Thu Mar 03, 2016 10:23 pm

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 4:24 pm

/system default-configuration print
BR,
Metod
 
Okietim
just joined
Posts: 15
Joined: Tue Feb 14, 2017 9:54 pm
Location: Oklahoma

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 4:48 pm

Thank you tomaskir and mkx!
Just what i needed.
 
sajibnandi
just joined
Posts: 5
Joined: Tue Jan 10, 2017 12:16 pm
Location: Dhaka
Contact:

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 7:14 pm

Hi Tomaskir,
Now we are facing more winbox default port attack in our every mikrotik router massively although we are not using winbox default port 8291 and also have firewall block this port.
If you have any suggestion to me for prevent this attack then I appreciate you.
please check this link:
https://drive.google.com/open?id=1pld-G ... wiwUBMvufX
 
User avatar
tomaskir
Trainer
Trainer
Topic Author
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 7:40 pm

@sajibnandi:
It seems you have logging enabled for some rule in the firewall input chain.
Depending how input chain is configured, this might be just logging you can disable.

Best would be to paste the output of
/ip firewall filter
print where chain=input
Looking at the structure of the firewall, we will be able to see if this is an issue or not.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
Okietim
just joined
Posts: 15
Joined: Tue Feb 14, 2017 9:54 pm
Location: Oklahoma

Re: New wave of Winbox vuln. attacks

Thu Aug 30, 2018 9:32 pm

Just wanted to let everyone know removing "new" did fix the problem!
I found the winbox drop rule had a count increment today without any warning in log.
Thanks to everyone!!
 
olsen
just joined
Posts: 2
Joined: Thu Aug 30, 2018 11:39 pm

Re: New wave of Winbox vuln. attacks

Mon Sep 03, 2018 9:52 am

Just wanted to let everyone know removing "new" did fix the problem!
I found the winbox drop rule had a count increment today without any warning in log.
Thanks to everyone!!
Got it!

Who is online

Users browsing this forum: Majestic-12 [Bot] and 81 guests