For example, it's now almost impossible to connect to the telnet port once you connect using leaked credentials, the router disconnects you almost immediately."Īvast says that from Sept. "The attacker continued to tighten up his position in the router. "Just shortly after we took down the second domain, the attacker started to tighten-up the compromised devices, by disabling most of the management interface, and moving ports of SSH and telnet to port TCP/10022 and TCP/10023, which is unexpected and incredibly unlikely that a user would even notice," Hron and Jursa say in a blog post. But they say whoever was behind the attacks quickly retrenched. Security researchers Martin Hron and David Jursa at Czech security vendor Avast say at least several strains of MikroTik-infecting malware appear to be in play, noting that Avast found and disrupted a command-and-control network associated with at least two domains. In case you are infected, your device is probably not only mining for the attackers but also trying to infect other mikrotik - Ankit Anubhav October 16, 2018 So our #mikrotik honeypots are functioning now, and the first attack IPs trying to attack us are themselves infected mikrotik devices. On Tuesday, Ankit Anubhav, principal security researcher at New Sky Security, said that a new honeypot it launched to study how the MikroTik router flaw is being exploited found that it's largely being targeted by already infected MikroTik routers.
Since then, despite clear and persistent warnings from security researchers as well as MikroTik, hundreds of thousands of its routers remain unpatched and are being actively targeted by attackers, security researchers say. Via the flaw, attackers can gain complete access to a vulnerable router, giving them access to Winbox - a simple GUI administration utility for MicroTik's RouterOS - as well as Webfig - the web-based version of the utility. In April, MikroTik rapidly patched a zero-day flaw, designated CVE-2018-14847.
Of those, security experts say that more than 420,000 appear to have been exploited and infected with malicious cryptocurrency-mining scripts (see Hacked MicroTik Routers Serve Cryptocurrency-Mining Malware). More than 2 million MikroTik routers appear to be internet-connected. See Also: New OnDemand | A Better Way to Approach Data Backup and Recovery (Source: Avast)Īttackers are continuing to compromise unpatched routers, as well as devices with default credentials, built by Latvian manufacturer MikroTik. Snapshot of mining activity for one of the distributed monero keys being used to infect MikroTik routers.
0 kommentar(er)
