Attackers propagating the bot to exploit the vulnerabilities in the RouterOS that allow’s them to execute remote execution code on the device.
In the last 12 hours, more then 2k unique sources suddenly started to perform internet wide scan targeting port 8291, most likely MikroTik routers. The interesting thing is the scan almost start right around 0am Beijing time. https://t.co/0IK4TfE9er pic.twitter.com/Dkys1mssKm
— 360 Netlab (@360Netlab) March 25, 2018
The MikroTik RouterOS is based on the Linux kernel and it is mostly used by ISPs and the botnet is exploiting the known vulnerabilities in HTTP, SMB and password brute forcing.
How the Infection Takes place – Port 8291
The latest variant of Hajime Botnet is efficient to launch an aggressive scanning over Port 8291 to detect the publically available devices and to exploit the devices connected with it.
The worm launches a very aggressive SYN scan to port 8291 and if the port 8291 is open it check’s for other common ports next (80,81,82,8080,8081,8082,8089,8181,8880). It uses to check the device version and sends the exploit shellcodes.
It has come to our attention that a a mass scan for open ports 80/8291(Web/Winbox) is taking place. To be safe, firewall these ports and upgrade RouterOS devices to v6.41.3 (or at least, above v6.38.5)
— MikroTik (@mikrotik_com) March 27, 2018
In the last week, I’ve seen 239 unique IP addresses scanning port 8291/tcp. The vast majority have come from Brazil, specifically AS27699 (@TelefonicaBr).
— Bad Packets Report (@bad_packets) March 28, 2018
According to Netlab, the top three scan sources are Brazil (585k), Iran (51.8k), Russia (26.4k). Radware and Netlab published technical write-ups.
- Block unwanted request via 8291.
- Update MikroTik firmware to v6.41.3 (or at least, above v6.38.5).
06B4D50254C6C112437A3ED893EF40B4 .i.mipseb 93A1A080FCDE07E512E7485C92861B69 atk.mipseb fc834c015b357c687477cb9116531de7 atk.mipseb.upx.unpack