[HamWAN PSDR] RANCID with mikrotik?
Nigel Vander Houwen
nigel at nigelvh.com
Fri Mar 18 13:12:34 PDT 2022
While this is OT for this thread, I will respond for the benefit of the rest of the mailing list.
This is not a new vulnerability in MT devices. CVE-2018-14847 is from a few years ago and regarded an issue in the WinBox management interface that allowed for compromise of the modems. While we do recommend keeping your devices up to date, which addresses this vulnerability, HamWAN Network Operations has for several years now blocked the WinBox management port at our internet facing edges to prevent inbound attacks like this.
The rest of the described attack simply uses the router as designed and sets up a NAT rule. There isn’t a new compromise allowing this behavior.
So the standard recommendations of not using the default admin password, and keeping the device up to date are the cures here.
Thanks,
Nigel
> On Mar 18, 2022, at 12:58 PM, Stephen Kangas <stephen at kangas.com> wrote:
>
> Since MikroTik came up as a subject (I’m a fan of theirs BTW), I thought I’d inform those here who may not already know about the recently discovered MikroTik vulnerability that enables attackers to use their Wireless Access Points (WAPs) and routers to obfuscate communications between the infamous TrickBot malware and its Command & Control (C2) server (CVE-2018-14847). This has the potential for using HamWan, including client antenna/routers, as an entry point for exploitation for home networks and their attached Windows machines in particular.
>
> TrickBot and their attackers accomplish this by using the SSH protocol to pipe commands remotely, and are able to infect MikroTik devices because they are among the rare ones that use Linux-based OS plus they allow certain terminal command shell syntax that most other Linux shells do not allow. Among the other changes the attacker makes to the router and WAP is changing the admin password to prevent legit admins from regaining control.
>
> To protect against this vulnerability in MikroTik products, make sure they are patched with their latest OS firmware (6.42 or higher), remote access is turned off when not needed, strong passwords and ideally token certificates are used for remote access. Microsoft discovered this exploit and has released a tool for detecting related TrickBot activity which wise people should run if they do not already have a robust network monitoring tool that detects this traffic and network device changes.
>
> More info: https://arstechnica.com/information-technology/2022/03/trickbot-is-using-mikrotik-routers-to-ply-its-trade-now-we-know-why/ <https://arstechnica.com/information-technology/2022/03/trickbot-is-using-mikrotik-routers-to-ply-its-trade-now-we-know-why/>
>
> Stephen Kangas MSCSIA, W9SK
>
>
> From: PSDR <psdr-bounces at hamwan.org> On Behalf Of Tom Hayward
> Sent: Friday, March 18, 2022 9:21 AM
> To: Puget Sound Data Ring <psdr at hamwan.org>
> Subject: Re: [HamWAN PSDR] RANCID with mikrotik?
>
> On Thu, Mar 17, 2022 at 11:54 PM Bryan Fields <Bryan at bryanfields.net <mailto:Bryan at bryanfields.net>> wrote:
>> Are you all running this up there?
>
> We're running sort of an in-house equivalent to RANCID. It's just a bash script that does an /export and commits to a git repo:
> https://github.com/kd7lxl/mikrotik-backup <https://github.com/kd7lxl/mikrotik-backup>
>
> It uses SSH with key auth.
>
> It seems to still work.
>
> Tom
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.net/mailman/listinfo/psdr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20220318/9712d42e/attachment.html>
More information about the PSDR
mailing list