[HamWAN PSDR] RANCID with mikrotik?

Stephen Kangas stephen at kangas.com
Fri Mar 18 12:58:56 PDT 2022


Since MikroTik came up as a subject (I’m a fan of theirs BTW), I thought I’d inform those here who may not already know about the recently discovered MikroTik vulnerability that enables attackers to use their Wireless Access Points (WAPs) and routers to obfuscate communications between the infamous TrickBot malware and its Command & Control (C2) server  (CVE-2018-14847).  This has the potential for using HamWan, including client antenna/routers, as an entry point for exploitation for home networks and their attached Windows machines in particular.

 

TrickBot and their attackers accomplish this by using the SSH protocol to pipe commands remotely, and are able to infect MikroTik devices because they are among the rare ones that use Linux-based OS plus they allow certain terminal command shell syntax that most other Linux shells do not allow.  Among the other changes the attacker makes to the router and WAP is changing the admin password to prevent legit admins from regaining control.  

 

To protect against this vulnerability in MikroTik products, make sure they are patched with their latest OS firmware (6.42 or higher), remote access is turned off when not needed, strong passwords and ideally token certificates are used for remote access.  Microsoft discovered this exploit and has released a tool for detecting related TrickBot activity which wise people should run if they do not already have a robust network monitoring tool that detects this traffic and network device changes.

 

More info: https://arstechnica.com/information-technology/2022/03/trickbot-is-using-mikrotik-routers-to-ply-its-trade-now-we-know-why/ 

 

Stephen Kangas MSCSIA, W9SK

 

 

From: PSDR <psdr-bounces at hamwan.org> On Behalf Of Tom Hayward
Sent: Friday, March 18, 2022 9:21 AM
To: Puget Sound Data Ring <psdr at hamwan.org>
Subject: Re: [HamWAN PSDR] RANCID with mikrotik?

 

On Thu, Mar 17, 2022 at 11:54 PM Bryan Fields <Bryan at bryanfields.net <mailto:Bryan at bryanfields.net> > wrote:

Are you all running this up there?

 

We're running sort of an in-house equivalent to RANCID. It's just a bash script that does an /export and commits to a git repo:

https://github.com/kd7lxl/mikrotik-backup 

 

It uses SSH with key auth.

 

It seems to still work.

 

Tom

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20220318/9666c812/attachment.html>


More information about the PSDR mailing list