Exploit Chimay Red: vulnerable device Mikrotik and Ubiquiti form giant botnet

Mikrotik and Ubiquiti producers very popular worldwide network devices. American products (Ubiquiti) and Latvia (Mikrotik) are featured by hundreds of thousands of satisfied customers all over the world. Administrators appreciate them for quick sharing security updates and a wide range of configurations. Mikrotik routers and Ubiquiti willingly using the ISP, that build on these fabrics. And yet, from IT infrastructure each of us expects a high-reliability, bandwidth, and continuous availability. Profitability in the category of the total cost of ownership (ang. Total Cost of Ownership) is an additional asset in favour of these devices. Today's bad news is that all Mikrotiki with software Decoding to version 6.38.4 (this version of the OS was released in March 2017 year) are prone to remotely install malicious software. Taken over in this way, the device can infect another. All together to form a massive botnet that attacks (DDoS) following services in Internet, denying user access to remote resources.

Botnet Mikrotik devices and Ubiquiti

Observed adverse botnet (Hajime), which scans the Internet for devices with an open TCP port/8291, Ubiquiti devices are also targeted with software AirOS or AirMAX-this is confirmed by the supplied information from Redware, that March 24 observed increased activity of connections on TCP port/8291 in its global honeypots:

Botnet z urządzeń Mikrotik i Ubiquiti

In the first phase of the take control of edge devices performed is "scan", which looks for potentially vulnerable devices. Developed the script looking for IP addresses with available service on port 8291. To this end, the sends packets the SON without the final ACK-connection 3-way handshake does not send even any cargo to the endpoint being scanned. As the port 8291 is the default port for management by the application Winbox, it is in such a way you are automating detection Mikrotik routers. However, you need to set up a margin of error, that not all public IP addresses to port 8291 are exposed just by Mikrotik equipment.

The largest number of "sensitive" IP addresses located in Brazil, the United States and Iran. In total there were over 10 000.

Liczba zeskanowanych urządzeń.

In the second phase of the attack, when the device is no longer recognized as "Company", using the exploit Chimay Red is used the vulnerability through port 80, 81, 82, 8080, 8081, 8082, 8089, 8181 or 8880. When the worm Hajime (hence the name of the botnet) is installed, it tries to spread to another device by performing further attacks brute-force attacks on password-protected services. But note!

The threat lies not only on the part of the botnet. Available is ready to exploit for Metasploita using the vulnerability of the developed by the CIA. Now each can hack. Here is a detailed description of the exploit Chimera Red on Mikrotik routers. The document is one of the many secret documents published by WikiLeaks in the leak "Vault 7".

Another team of researchers with Netlab Qihoo 360, who first released the information about the attacks, claims that botnet Hajime in recent days has performed more than 860 000 attempts to scan the ports. Among the targeted objectives is also almost 600 devices in Poland:

Mapa skanowania

The Mikrotik forum already write about the attack. One of the administrators so describes the attack:

Just tonight in discovered a multitude of Decoding devices on our network--mostly customer devices, so far only observed on MIPS architecture--that appear to be infected with something. The routers themselves are generating hundreds of outbound connections every second to random IP addresses, targeting telnet (TCP port 23), TR-069 (TCP port 7547), and WINBOX!! (TCP 8291). I have confirmed that this traffic is not originating from a device on the customers ' LANs and then getting NATted...it is coming from the router itself and is successfully blocked using firewall rules in the "output" chain.

Risks should not be underestimated. It is recommended an urgent update firmware to version higher than 6.38.4, and change the default port 8291 (or completely disable configuration access from the outside).

On the occasion of the updates you might want to check out whether Your Mikrotiki do not contain sometimes such host names: HACKED-ROUTER-HELP-SOS-HAD-ass-PASSWORD/HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD/ HACKED-ROUTER-HELP-SAUCE-WAS-MFWORM-INFECTED. If so, you definitely are not properly secured.

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.