Community discussions

MikroTik App
 
sblanchard
just joined
Topic Author
Posts: 2
Joined: Fri Oct 15, 2021 7:06 pm

Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Thu Mar 17, 2022 7:18 pm

Found this article published by Microsoft today on Trickbot and Mikrotik devices. Didn't see anything recent on this topic in the forum.

This continuous evolution has seen Trickbot expand its reach from computers to Internet of Things (IoT) devices such as routers, with the malware updating its C2 infrastructure to utilize MikroTik devices and modules. MikroTik routers are widely used around the world across different industries. By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another persistence layer that helps malicious IPs evade detection by standard security systems.

https://www.microsoft.com/security/blog ... structure/
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 282
Joined: Mon Aug 16, 2021 4:49 pm

Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Thu Mar 17, 2022 7:32 pm

Hi,
[...]based on our analysis, there are several methods that attackers use to access a target router:

Using default MikroTik passwords.
Launching brute force attacks. We have seen attackers use some unique passwords that probably were harvested from other MikroTik devices.
Exploiting CVE-2018-14847 on devices with RouterOS versions older than 6.42. This vulnerability gives the attacker the ability to read arbitrary files like user.dat, which contains pass
So, easy to avoid: user strong psw+upgrade.
BR
 
hecatae
Member Candidate
Member Candidate
Posts: 247
Joined: Thu May 21, 2020 2:34 pm

Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Fri Mar 18, 2022 11:21 pm

It's been picked up by Ars Technica.

https://arstechnica.com/information-tec ... -know-why/

Can't believe an article in 2022 can't be bothered to contact Mikrotik and is recommending RouterOS 6.42 to readers.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12379
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Sat Mar 19, 2022 1:53 am

ars tech?
a good copy pasters of old articles....
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 904
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Sat Mar 19, 2022 3:57 am

It's been picked up by Ars Technica.

https://arstechnica.com/information-tec ... -know-why/

Can't believe an article in 2022 can't be bothered to contact Mikrotik and is recommending RouterOS 6.42 to readers.
It does mention 6.42 in the How to get owned, how to stay clean section. And as you point out, that has bugs.

But what version should be recommended? https://www.cvedetails.com/vulnerabilit ... teros.html

And here is the mikrotik_cpe_match.json included with the Microsoft routeros-scanner on gihhub (it looks like 6.48.3 was still vulnerable to CVE-2020-20231, is it fixed after that?)
{
    "CVE-2020-20219": [
        {
            "exact": "6.44.6"
        }
    ],
    "CVE-2015-2350": [
        {
            "end_including": "5.0"
        }
    ],
    "CVE-2012-6050": [
        {
            "exact": "5.15"
        }
    ],
    "CVE-2020-20262": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2020-20215": [
        {
            "exact": "6.44.6"
        }
    ],
    "CVE-2020-20254": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2018-1157": [
        {
            "end_excluding": "6.40.9"
        },
        {
            "end_excluding": "6.42.7"
        }
    ],
    "CVE-2018-1156": [
        {
            "end_excluding": "6.40.9"
        },
        {
            "end_excluding": "6.42.7"
        }
    ],
    "CVE-2020-20214": [
        {
            "exact": "6.44.6"
        }
    ],
    "CVE-2020-20222": [
        {
            "exact": "6.44.6"
        }
    ],
    "CVE-2020-20218": [
        {
            "exact": "6.44.6"
        }
    ],
    "CVE-2020-20213": [
        {
            "exact": "6.44.5"
        }
    ],
    "CVE-2020-20252": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2020-22845": [
        {
            "exact": "6.47"
        }
    ],
    "CVE-2017-6297": [
        {
            "exact": "6.37.4"
        },
        {
            "exact": "6.83.3"
        }
    ],
    "CVE-2019-3977": [
        {
            "end_including": "6.44.5"
        },
        {
            "end_including": "6.45.6"
        }
    ],
    "CVE-2020-20248": [
        {
            "exact": "6.47"
        }
    ],
    "CVE-2020-20225": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2020-20264": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2017-8338": [
        {
            "exact": "6.38.5"
        }
    ],
    "CVE-2020-20265": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2008-6976": [
        {
            "start_including": "2.0",
            "end_including": "2.9.51"
        },
        {
            "start_including": "3.0",
            "end_including": "3.13"
        }
    ],
    "CVE-2020-20249": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2019-3976": [
        {
            "end_including": "6.45.6"
        },
        {
            "end_including": "6.44.5"
        }
    ],
    "CVE-2020-22844": [
        {
            "exact": "6.47"
        }
    ],
    "CVE-2020-20253": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2020-20212": [
        {
            "exact": "6.44.5"
        }
    ],
    "CVE-2020-20245": [
        {
            "exact": "6.46.3"
        }
    ],
    "CVE-2020-20250": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2019-16160": [
        {
            "end_excluding": "6.45.5"
        }
    ],
    "CVE-2020-20211": [
        {
            "exact": "6.44.5"
        }
    ],
    "CVE-2020-20246": [
        {
            "exact": "6.46.3"
        }
    ],
    "CVE-2020-20231": [
        {
            "start_including": "6.44.6",
            "end_including": "6.48.3"
        }
    ],
    "CVE-2020-20266": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2019-3979": [
        {
            "end_including": "6.44.5"
        },
        {
            "end_including": "6.45.6"
        }
    ],
    "CVE-2020-20227": [
        {
            "exact": "6.47"
        }
    ],
    "CVE-2019-3943": [
        {
            "end_including": "6.42.12"
        },
        {
            "end_including": "6.43.12"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.41"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.42"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.43"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        },
        {
            "exact": "6.44"
        }
    ],
    "CVE-2019-3978": [
        {
            "end_including": "6.44.5"
        },
        {
            "end_including": "6.45.6"
        }
    ],
    "CVE-2019-3981": [
        {
            "end_excluding": "6.43"
        },
        {
            "end_excluding": "3.20"
        }
    ],
    "CVE-2020-20267": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2019-15055": [
        {
            "start_including": "6.45",
            "end_including": "6.45.3"
        },
        {
            "end_including": "6.44.5"
        }
    ],
    "CVE-2020-20230": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2020-20247": [
        {
            "end_excluding": "6.46.5"
        }
    ],
    "CVE-2020-20237": [
        {
            "exact": "6.46.3"
        }
    ],
    "CVE-2018-1159": [
        {
            "end_excluding": "6.40.9"
        },
        {
            "end_excluding": "6.42.7"
        }
    ],
    "CVE-2020-11881": [
        {
            "start_including": "6.41.3",
            "end_including": "6.46.5"
        },
        {
            "exact": "7.0"
        },
        {
            "exact": "7.0"
        },
        {
            "exact": "7.0"
        }
    ],
    "CVE-2020-20221": [
        {
            "end_excluding": "6.44.6"
        }
    ],
    "CVE-2018-14847": [
        {
            "end_including": "6.42"
        }
    ],
    "CVE-2019-13954": [
        {
            "exact": "6.45"
        },
        {
            "end_excluding": "6.44.5"
        }
    ],
    "CVE-2019-3924": [
        {
            "end_excluding": "6.42.12"
        },
        {
            "end_excluding": "6.43.12"
        }
    ],
    "CVE-2018-7445": [
        {
            "end_excluding": "6.41.3"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        },
        {
            "exact": "6.4.2"
        }
    ],
    "CVE-2020-20217": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2017-7285": [
        {
            "exact": "6.38.5"
        }
    ],
    "CVE-2020-20216": [
        {
            "exact": "6.44.6"
        }
    ],
    "CVE-2019-13955": [
        {
            "end_excluding": "6.44.5"
        },
        {
            "exact": "6.45"
        }
    ],
    "CVE-2020-20220": [
        {
            "end_excluding": "6.47"
        }
    ],
    "CVE-2018-1158": [
        {
            "end_excluding": "6.40.9"
        },
        {
            "end_excluding": "6.42.7"
        }
    ],
    "CVE-2021-27221": [
        {
            "exact": "6.47.9"
        }
    ],
    "CVE-2020-20236": [
        {
            "exact": "6.46.3"
        }
    ]
}
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12425
Joined: Thu Mar 03, 2016 10:23 pm

Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Sat Mar 19, 2022 9:11 am

Version 6.83.3 vulnerable to CVE-2017-6297?

And then one wonders wrhere all vulnerabilities come from if even discovery tool contains errors ...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12379
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Sat Mar 19, 2022 1:04 pm

Most of those CVE start with
"An authenticated remote attacker can ..."

How to solve 99,99% of problems:
Delete/rename default admin account, do not use standard or intuitive names for administrative account and use strong passwords
Do not open ports to the world, use VPN for remote mamagement
do not use weak VPN
do not use winbox or dude or browser for store passwords... or better do not store passwords

New CVE-2022-031901 affecting all version:
"An authenticated local or remote attacker, with administrative privileges, can reset routerboard with /system reset-configuration"

New CVE-2022-031902 for Windows 11:
"An authenticated or not local attacker can destroy the device putting the water inside..."
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 904
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure

Sun Mar 20, 2022 1:11 am

New CVE-2022-031902 for Windows 11:
"An authenticated or not local attacker can destroy the device putting the water inside..."
:D

I thought CVE-2022-031902 applied to any local attacker, whether authenticated or not, but how would a "not local" attacker put water in? 8)

Edit (I just realized I mis-parsed). you meant (authenticated or not) local attacker, I read authenticated or (not local attacker)

How to Change Your Computer's Oil [Joke] youtube video by ThioJoe

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], JDF, kapnos, ryuu and 51 guests