Page 1 of 1

New wave of Winbox vuln. attacks

Posted: Mon Aug 27, 2018 7:19 pm
by tomaskir
There is currently another wave of attacks on RouterOS under way across US/EU address space.
This attack utilizes the Winbox vuln. that has been patched in April this year.

The current wave of attacks is very similar to the mass-exploitation of routers across Brazil earlier this month.
This time tho, it is being performed against the US/EU address space.

This particular wave of attacks focuses on DNS hijacking, and then traffic redirection of the end-user devices.

This is just a PSA post to make sure your network is protected.
PLEASE make sure your MikroTiks are properly secured (firewall, ACLs on administrative interfaces, etc.)
PLEASE make sure you are running latest RouterOS versions in your network.

Default configurations of RouterOS are NOT affected - in order to be affected by this, you need to have the Winbox service exposed publicly.

Re: New wave of Winbox vuln. attacks

Posted: Tue Aug 28, 2018 1:56 pm
by tomaskir
As an update to this, it seems there are currently 2 active variants of attacks:

Version 1:
Very similar to the attacks on Latin America earlier this month, but executed across the US/EU.
This variant modifies SOCKS, and pulls updates using a 'mikrotik.php' file that is downloaded using scripts and scheduler.

Here is an article on how to remediate this variant of the attacks:
https://unimus.net/blog/validating-secu ... -wide.html

Version 2:
This variant seems new.
It hijacks DNS and also uses a DNS redirect in NAT to force clients behind the router to the hijacked DNS.
Along with this, it also does SOCKS and web-proxy.
If anyone has more information about this variant, please share more.

Re: New wave of Winbox vuln. attacks

Posted: Tue Aug 28, 2018 2:24 pm
by pe1chl
This will just continue until everybody has updated his router and config.
Experience with Windows vulnerabilities shows that this can well take a decade.

Re: New wave of Winbox vuln. attacks

Posted: Tue Aug 28, 2018 3:12 pm
by flynno
I think I fell victim to this attack yesterday, my clients had problems watching netflix and appeared to have two IP addresses.
One IP was fake and one was the real IP address. Netflix reported the IP as using a proxy or VPN and denied the clients access.

My main router was breached before because of the previous attack, I upgraded router to bugfix, changed passwords, allow winbox only from support IP's, disabled scripts and socks along with enabling all drop rules that had been disabled. The one thing I didn't do was change the IP of the router, that's done now and everything has resumed to normal for now anyway, fingers crossed

Re: New wave of Winbox vuln. attacks

Posted: Tue Aug 28, 2018 9:32 pm
by mistry7
I think I fell victim to this attack yesterday, my clients had problems watching netflix and appeared to have two IP addresses.
One IP was fake and one was the real IP address. Netflix reported the IP as using a proxy or VPN and denied the clients access.

My main router was breached before because of the previous attack, I upgraded router to bugfix, changed passwords, allow winbox only from support IP's, disabled scripts and socks along with enabling all drop rules that had been disabled. The one thing I didn't do was change the IP of the router, that's done now and everything has resumed to normal for now anyway, fingers crossed
You better apply working firewall instead of changing up addresses......

Re: New wave of Winbox vuln. attacks

Posted: Wed Aug 29, 2018 12:46 am
by flynno
Hey Mistry7, have you any rules that I can use to prevent this from happening?

Re: New wave of Winbox vuln. attacks

Posted: Wed Aug 29, 2018 1:14 am
by Pea

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 5:19 am
by Okietim
I've received in log "warning denied winbox/dude connect from x.x.x.x".
I have a firewall rule I thought would drop it, but I don't see the packet count change and I'm still getting warning message.
Should I be concerned?

Image
Image
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment="Allow only lan to router" log-prefix=\
    "Allow lan to router" src-address-list=Allowed_to_router
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,new,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="Winbox on WAN" dst-port=8291 \
    in-interface=ether1 log=yes log-prefix="winbox on wan " protocol=tcp
add action=drop chain=input comment="Drop everything remaining"
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 8:23 am
by vecernik87
...I have a firewall rule I thought would drop it, but I don't see the packet count change and I'm still getting warning message....
If you are testing it relatively quickly, It is possible that connection is still among tracked, therefore gets accepted. Unfortunately I dont know why would it get allowed in first place unless you had some very different rules earlier.
Currently your firewall seems correctly done with approach "allow whats needed, drop anything else" so you actually don't need the specific drop connection for winbox unless you want to make exception: You may move it on top of all others (before first input rule) and that will refuse all packets (including already tracked and enabled connections) coming to winbox port from WAN.

If you still don't see packet count increasing, then something weird is happening (Personally I would guess you are not connecting to Ether1 - maybe you have some PPPoE or some different tunnel as WAN?)

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 10:10 am
by sid5632
Why have you got "new" in this:
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,new,untracked
It certainly wasn't put there by "defconf" so you must have done it. Take it out!

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 12:51 pm
by tomaskir
Indeed, the issue will be in accepting "new" state connections in rule no.3.
As pointed out by sid5632, this is something that was modified from the default configuration, and that is why you are seeing Winbox login attempts from the internet.

Fixing that rule (remove the "new" connection state) is a good start to fix this.

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 2:30 pm
by Okietim
Thanks sid5632 and tomaskir!

Have removed "new" as noted.

Should untracked also be removed as it appears not to be part of defconf as well?

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 3:11 pm
by sid5632
Should untracked also be removed as it appears not to be part of defconf as well?
No. Untracked is part of defconf. Read the comment!

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 4:20 pm
by Okietim
Thanks sid5632!
I seem to recall there is a way to view the default configuration, but have failed to locate how to do it.
Could you point me in the right direction?

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 4:24 pm
by tomaskir
I seem to recall there is a way to view the default configuration, but have failed to locate how to do it.
Could you point me in the right direction?

You can print out the default configuration using:
/system default-configuration print

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 4:24 pm
by mkx
/system default-configuration print

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 4:48 pm
by Okietim
Thank you tomaskir and mkx!
Just what i needed.

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 7:14 pm
by sajibnandi
Hi Tomaskir,
Now we are facing more winbox default port attack in our every mikrotik router massively although we are not using winbox default port 8291 and also have firewall block this port.
If you have any suggestion to me for prevent this attack then I appreciate you.
please check this link:
https://drive.google.com/open?id=1pld-G ... wiwUBMvufX

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 7:40 pm
by tomaskir
@sajibnandi:
It seems you have logging enabled for some rule in the firewall input chain.
Depending how input chain is configured, this might be just logging you can disable.

Best would be to paste the output of
/ip firewall filter
print where chain=input
Looking at the structure of the firewall, we will be able to see if this is an issue or not.

Re: New wave of Winbox vuln. attacks

Posted: Thu Aug 30, 2018 9:32 pm
by Okietim
Just wanted to let everyone know removing "new" did fix the problem!
I found the winbox drop rule had a count increment today without any warning in log.
Thanks to everyone!!

Re: New wave of Winbox vuln. attacks

Posted: Mon Sep 03, 2018 9:52 am
by olsen
Just wanted to let everyone know removing "new" did fix the problem!
I found the winbox drop rule had a count increment today without any warning in log.
Thanks to everyone!!
Got it!