Found this article published by Microsoft today on Trickbot and Mikrotik devices. Didn't see anything recent on this topic in the forum.
This continuous evolution has seen Trickbot expand its reach from computers to Internet of Things (IoT) devices such as routers, with the malware updating its C2 infrastructure to utilize MikroTik devices and modules. MikroTik routers are widely used around the world across different industries. By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another persistence layer that helps malicious IPs evade detection by standard security systems.
https://www.microsoft.com/security/blog ... structure/
-
-
sblanchard
just joined
- Posts: 2
- Joined:
Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
Hi,
BR
So, easy to avoid: user strong psw+upgrade.[...]based on our analysis, there are several methods that attackers use to access a target router:
Using default MikroTik passwords.
Launching brute force attacks. We have seen attackers use some unique passwords that probably were harvested from other MikroTik devices.
Exploiting CVE-2018-14847 on devices with RouterOS versions older than 6.42. This vulnerability gives the attacker the ability to read arbitrary files like user.dat, which contains pass
BR
Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
It's been picked up by Ars Technica.
https://arstechnica.com/information-tec ... -know-why/
Can't believe an article in 2022 can't be bothered to contact Mikrotik and is recommending RouterOS 6.42 to readers.
https://arstechnica.com/information-tec ... -know-why/
Can't believe an article in 2022 can't be bothered to contact Mikrotik and is recommending RouterOS 6.42 to readers.
Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
ars tech?
a good copy pasters of old articles....
a good copy pasters of old articles....
Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
It does mention 6.42 in the How to get owned, how to stay clean section. And as you point out, that has bugs.It's been picked up by Ars Technica.
https://arstechnica.com/information-tec ... -know-why/
Can't believe an article in 2022 can't be bothered to contact Mikrotik and is recommending RouterOS 6.42 to readers.
But what version should be recommended? https://www.cvedetails.com/vulnerabilit ... teros.html
And here is the mikrotik_cpe_match.json included with the Microsoft routeros-scanner on gihhub (it looks like 6.48.3 was still vulnerable to CVE-2020-20231, is it fixed after that?)
Code: Select all
{
"CVE-2020-20219": [
{
"exact": "6.44.6"
}
],
"CVE-2015-2350": [
{
"end_including": "5.0"
}
],
"CVE-2012-6050": [
{
"exact": "5.15"
}
],
"CVE-2020-20262": [
{
"end_excluding": "6.47"
}
],
"CVE-2020-20215": [
{
"exact": "6.44.6"
}
],
"CVE-2020-20254": [
{
"end_excluding": "6.47"
}
],
"CVE-2018-1157": [
{
"end_excluding": "6.40.9"
},
{
"end_excluding": "6.42.7"
}
],
"CVE-2018-1156": [
{
"end_excluding": "6.40.9"
},
{
"end_excluding": "6.42.7"
}
],
"CVE-2020-20214": [
{
"exact": "6.44.6"
}
],
"CVE-2020-20222": [
{
"exact": "6.44.6"
}
],
"CVE-2020-20218": [
{
"exact": "6.44.6"
}
],
"CVE-2020-20213": [
{
"exact": "6.44.5"
}
],
"CVE-2020-20252": [
{
"end_excluding": "6.47"
}
],
"CVE-2020-22845": [
{
"exact": "6.47"
}
],
"CVE-2017-6297": [
{
"exact": "6.37.4"
},
{
"exact": "6.83.3"
}
],
"CVE-2019-3977": [
{
"end_including": "6.44.5"
},
{
"end_including": "6.45.6"
}
],
"CVE-2020-20248": [
{
"exact": "6.47"
}
],
"CVE-2020-20225": [
{
"end_excluding": "6.47"
}
],
"CVE-2020-20264": [
{
"end_excluding": "6.47"
}
],
"CVE-2017-8338": [
{
"exact": "6.38.5"
}
],
"CVE-2020-20265": [
{
"end_excluding": "6.47"
}
],
"CVE-2008-6976": [
{
"start_including": "2.0",
"end_including": "2.9.51"
},
{
"start_including": "3.0",
"end_including": "3.13"
}
],
"CVE-2020-20249": [
{
"end_excluding": "6.47"
}
],
"CVE-2019-3976": [
{
"end_including": "6.45.6"
},
{
"end_including": "6.44.5"
}
],
"CVE-2020-22844": [
{
"exact": "6.47"
}
],
"CVE-2020-20253": [
{
"end_excluding": "6.47"
}
],
"CVE-2020-20212": [
{
"exact": "6.44.5"
}
],
"CVE-2020-20245": [
{
"exact": "6.46.3"
}
],
"CVE-2020-20250": [
{
"end_excluding": "6.47"
}
],
"CVE-2019-16160": [
{
"end_excluding": "6.45.5"
}
],
"CVE-2020-20211": [
{
"exact": "6.44.5"
}
],
"CVE-2020-20246": [
{
"exact": "6.46.3"
}
],
"CVE-2020-20231": [
{
"start_including": "6.44.6",
"end_including": "6.48.3"
}
],
"CVE-2020-20266": [
{
"end_excluding": "6.47"
}
],
"CVE-2019-3979": [
{
"end_including": "6.44.5"
},
{
"end_including": "6.45.6"
}
],
"CVE-2020-20227": [
{
"exact": "6.47"
}
],
"CVE-2019-3943": [
{
"end_including": "6.42.12"
},
{
"end_including": "6.43.12"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.41"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.42"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.43"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
},
{
"exact": "6.44"
}
],
"CVE-2019-3978": [
{
"end_including": "6.44.5"
},
{
"end_including": "6.45.6"
}
],
"CVE-2019-3981": [
{
"end_excluding": "6.43"
},
{
"end_excluding": "3.20"
}
],
"CVE-2020-20267": [
{
"end_excluding": "6.47"
}
],
"CVE-2019-15055": [
{
"start_including": "6.45",
"end_including": "6.45.3"
},
{
"end_including": "6.44.5"
}
],
"CVE-2020-20230": [
{
"end_excluding": "6.47"
}
],
"CVE-2020-20247": [
{
"end_excluding": "6.46.5"
}
],
"CVE-2020-20237": [
{
"exact": "6.46.3"
}
],
"CVE-2018-1159": [
{
"end_excluding": "6.40.9"
},
{
"end_excluding": "6.42.7"
}
],
"CVE-2020-11881": [
{
"start_including": "6.41.3",
"end_including": "6.46.5"
},
{
"exact": "7.0"
},
{
"exact": "7.0"
},
{
"exact": "7.0"
}
],
"CVE-2020-20221": [
{
"end_excluding": "6.44.6"
}
],
"CVE-2018-14847": [
{
"end_including": "6.42"
}
],
"CVE-2019-13954": [
{
"exact": "6.45"
},
{
"end_excluding": "6.44.5"
}
],
"CVE-2019-3924": [
{
"end_excluding": "6.42.12"
},
{
"end_excluding": "6.43.12"
}
],
"CVE-2018-7445": [
{
"end_excluding": "6.41.3"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
},
{
"exact": "6.4.2"
}
],
"CVE-2020-20217": [
{
"end_excluding": "6.47"
}
],
"CVE-2017-7285": [
{
"exact": "6.38.5"
}
],
"CVE-2020-20216": [
{
"exact": "6.44.6"
}
],
"CVE-2019-13955": [
{
"end_excluding": "6.44.5"
},
{
"exact": "6.45"
}
],
"CVE-2020-20220": [
{
"end_excluding": "6.47"
}
],
"CVE-2018-1158": [
{
"end_excluding": "6.40.9"
},
{
"end_excluding": "6.42.7"
}
],
"CVE-2021-27221": [
{
"exact": "6.47.9"
}
],
"CVE-2020-20236": [
{
"exact": "6.46.3"
}
]
}
Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
Version 6.83.3 vulnerable to CVE-2017-6297?
And then one wonders wrhere all vulnerabilities come from if even discovery tool contains errors ...
And then one wonders wrhere all vulnerabilities come from if even discovery tool contains errors ...
Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
Most of those CVE start with
"An authenticated remote attacker can ..."
How to solve 99,99% of problems:
Delete/rename default admin account, do not use standard or intuitive names for administrative account and use strong passwords
Do not open ports to the world, use VPN for remote mamagement
do not use weak VPN
do not use winbox or dude or browser for store passwords... or better do not store passwords
New CVE-2022-031901 affecting all version:
"An authenticated local or remote attacker, with administrative privileges, can reset routerboard with /system reset-configuration"
New CVE-2022-031902 for Windows 11:
"An authenticated or not local attacker can destroy the device putting the water inside..."
"An authenticated remote attacker can ..."
How to solve 99,99% of problems:
Delete/rename default admin account, do not use standard or intuitive names for administrative account and use strong passwords
Do not open ports to the world, use VPN for remote mamagement
do not use weak VPN
do not use winbox or dude or browser for store passwords... or better do not store passwords
New CVE-2022-031901 affecting all version:
"An authenticated local or remote attacker, with administrative privileges, can reset routerboard with /system reset-configuration"
New CVE-2022-031902 for Windows 11:
"An authenticated or not local attacker can destroy the device putting the water inside..."
Re: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
New CVE-2022-031902 for Windows 11:
"An authenticated or not local attacker can destroy the device putting the water inside..."
I thought CVE-2022-031902 applied to any local attacker, whether authenticated or not, but how would a "not local" attacker put water in?
Edit (I just realized I mis-parsed). you meant (authenticated or not) local attacker, I read authenticated or (not local attacker)
How to Change Your Computer's Oil [Joke] youtube video by ThioJoe
Who is online
Users browsing this forum: notarouter, Usamakhursheed and 32 guests