Analyzing RouterOS attack vectors and how to protect your network

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right hello everyone so let's start this one so this particular presentation will be a deep dive into my critic security and security analysis of the recent micro tech exploits on everything that's been happening in the micro tech security world in the last about the year so yeah we will talk about Malvern and and how Malvern and and different attack groups and different entities utilize the exploits that were slowly found in in router Ellis over the last year so it a bit about me my name is Thomas I was on a panel here previously as you saw so yeah I'm a system and network architect but most of my passion is in automation and monitoring those are topics which I can talk for hours on end I've been a certified trainer and consultant for about eight years now at this point I'm here with the intimus we talk it about us so universe is a software social for automation mask config push Network vite config search basically anything you want to do at scale with your network that's it that's what we do so configuration management disaster recovery config backup all of that if you want to talk to me about Dunamis we have a booth down there I will be happy to show you what we do and how we do and everything else so this is not for all of you here but a lot of my presentations find their way onto the internet as PDFs and this is for the people that find the PDF later on the PDF is nice but my talks are always very in-depth I love doing deep dive technical talks and the videos have much more information than just slides so I have a YouTube channel all of my videos are of my talks are uploaded to my youtube channel again this is not for you but for posterity so why are we here what are we going to talk about today well the number of attacks against the router was against mikrotik routers has dramatically increased in the last year and even more so in the last three months and I'm sure some of you have seen articles on the internet talking about hundreds of thousands of my critics being attacked and exploited around the world and it's been flying and then sexually even in the last week there's been articles from major news outlets about mikrotik security so we are here to talk about all of that we are healed to discuss what has happened how it has happened and we are here to learn to defend by analyzing what has happened by analyzing you know what the attackers used in the past the vectors and and what the exploits did and so we really want to learn how to prevent all of this from happening in the future and then finally we will discuss the current situation because there has been some development actually just in a last couple of weeks so we will talk about what's actually happening on the internet right now what is the current up-to-date situation what's happening what's being exploited how you can defend yourself all of the things that I just mentioned so a few things to discuss before we really start the presentation first of all router OS runs on Linux so really if you have access to the underlying Linux system a mikrotik router really can do anything a normal line Lux machine can it's just like Mac's a at the core of router OS and router is of course runs on many different architectures like arm Mapes tile PowerPC x86 you know many different distributions of router has exists but really this is not an issue for the attackers at all the fact that it's a router doesn't matter to the attacker it's just a line Lux machine really for the attacker because they can compile their payloads to the proper target architecture they can either cross compiler they can even compile directly onto arm servers or MIPS boards it just doesn't matter for an attacker it's not a router it's a Linux machine and then there is a few shortcuts or terms that I will use throughout this presentation that might need some explaining probably not to you guys at least hopefully you know all of these were but let's go over them so hopefully everybody knows what licky weeks is slash are right so WikiLeaks is just a a wiki kind of a website that leaks a lot of different internal and sensitive material from all kinds of different sources then there is the CIA and as an NSA which being in the u.s. I think everybody knows what those agencies are and who they are and what they are responsible for then there is vault 7 which we will have a slide on but we can cover it now so vault 7 was a very big leak which was published to WikiLeaks which contained a lot of CIA swish NSA attack toolkits and it was leaked and published on Wikileaks and that's where a whole lot of this that we are going to discuss came from Mars fights on this soon so then there is RC e RC simply means remote code execution it means that you can execute arbitrary random code on the router or on the device you have RCE access on and then there is C and C which simply means command and control so in the security world when you talk about C and C command and control servers it's the attacker controlled servers that give commands and control the individual exploited machines all right so before we even begin it is super important to say that my critics default configuration they're never affected by any of the exploits there is one denial of service which effects even a default configuration of mikrotik but no actual exploits that could result in a remote code execution or that cold resolve in an attack being performed on the router and the network behind the router default configurations were never affected so all of these things which are going to discuss and I don't want to point fingers because it's never that easy but if you very affected by this it is your own fault again I don't want to point fingers I know it's never as simple as that but if you ever very affect it it is because you either modify the default firewall or you reset a configuration and didn't configure firewall at all which is sadly super or you had firewall but it was not sufficient because it was not protecting the management services on the router web SSH win box API etc so this is not to shift blame to anyone this is not to point fingers to anyone but it is important to acknowledge my critics role in this and my critics row really was that out of the box my critics are secure they are not exploitable what we are going to talk about here so yeah and certainly the box and and the issues the vulnerabilities are in mikrotik router OS so it's not like my critic is not to blame at all but the point here is that every single vendor has box and vulnerabilities in their code if you think big guy or big boy vendor gear is not affected just take a look at the cisco sa asa security advice advisories take a look at juniper last year juniper published eight high severity vulnerabilities in a single day so this is not just a micro tech thing in the security world every single vendor it's just the nature of software development there will be bugs there will be called a code paths which result in remote code execution which are not protected this is normal in the micro tech world it hasn't been normal up until now up until perhaps a year and a year a half ago mikrotik was a very unknown vendor servi in other industry no mikrotik and have been working with it for years but worldwide and really on the security and especially attacker you know radar mikrotik really hasn't been there up until a year and a half ago and and since there were those you know high visibility exploits that that happened my critique has gotten at the radar of a lot of these attackers that that want to use them for their purposes but this is normal this is just how it is and we just have to be prepared for it and we just have to defend ourselves properly this is not you know uncommon if it's not switch to cisco and that's the answer that that's not how it works all right so as I mentioned to get over all the laughs so we are here to learn how to protect ourselves from bad actors present present on the Internet and basically we are going to see how to make a mikrotik Network secure against outside exploitation with an asterisk because nothing connected to the Internet is ever 100% secure if you want 100% IT security unplug the power and plug the Internet that's the only way that but that doesn't mean we should not try our best right so how did all of this happen so let's get into some a little bit of recent history so everything that we are going to talk or well most of the things that we are going to talk about here came from Walt seven and this happened when Vicki leaks published the CIA NSA attack toolkits in March 2017 so these leaks what was named vault seven was not mikrotik specific this very attack utilities for many systems Windows Linux in general and for many routers it did included tp-link ZyXEL dealing a ton of stuff including mikrotik by the way this is available publicly at WikiLeaks so here is a link if you ever want to go and read through all that so but for what we are interested at a part of vault seven was a router OS attack module named Chima read and this router s attack module contained two exploits so these two exploits together and form the majority of the issues that we have seen and in the attacks utilize the majority of the attacks utilize these two exploits so let's talk about them so the first exploit that Chim I read revealed or that WikiLeaks revealed by the vault seven leak was a remote code execution exploit utilizing TCP port 80 so there was a vulnerability in the router s web server and just by seeing TCP 80 just by saying the HTTP port open on the router you had full remote code execution at the router which means you have access to the underlying Linux systems and you could do whatever you want it so yeah this is called the module one or exploit one or module one of chim right and yeah this was quite bad because as we mentioned just by seeing the web interface of the router you now they're in full control of that particular router so of course when you are in control of the line-x underlying linux system in a full control to install whatever applications deploy whatever attack payloads to whatever you want which of course includes access to any router has functions and doing whatever you want in the router has itself since that's built on top of Linux so what did chim I read module 1 really exploit well it was meant and really could be used to deliver arbitrary payloads it could really do and deliver anything to the router as long as the detect payload was compiled for the light right architecture and and flavor of Linux so inside the vault 7 no exact payloads very really made available so we don't know what the original intent of CIA NSA was and how they wanted to utilize these exploits so that was not part of the leak and we don't know what was it actually used for in the vial though was a very widespread malware attack or malware family called VPN filter so VPN filter or what was named VPN filter it has nothing to do with VPNs by the way it's just an arbitrary name that was that was assigned to this to this exploit family and yeah I do two eyes the HTTP server vulnerability but not much public data and not much public research is actually known how bad actors utilized this on router OS because VPN filter affected many different vendors including cisco tp-link Netgear ever ubiquity so VPN filter was a big attack family that utilized many different exploits across many built different vendors to build a very big botnet slash zombie network and so since exploitation was actually not very widespread on router s compared to the other vendors and compared to the exploits that we will discuss further in this presentation there is not much public research on what was done with the roust routers that were with the mikrotik routers that were exploited so how did my critic respond well my critique released fixes to all branches of routers pretty much immediately after vault seven so around March 2017 note VPN filter hit in May 2018 a year later and here we see something that will become a recurring pattern throughout this presentation mikrotik release patches a year before this started being used for attacks in the wild it's just that people don't update their routers so a year after patches were available people were still getting exploited and hit by this malware so what was what was the impact yeah quite small for my critic compared to other vendors and especially compared to what we will discuss next and as I mentioned default config was never affected therefore it seems actually that most of the micro ticks on the public web have firewall for the web service so the combination of these factors made the VPN filter not such a huge widespread problem for the micro tech community although it was a big problem for different communities of the different vendors that we mentioned okay so how could you have defended against this or if you were exploited what could you have done to not be exploited by this it is super simple just a firewall as we said VPN filter utilized HTTP port 80 so the web server within Alturas if that was fire volt you could not have gotten exploited so simply do not allow public access to the web service that's option one option two make sure your router OS is up-to-date so this was fixed a year before it was exploited in the wild so even if you didn't have fire rolling on the web service if you update it at least once in that year of timeframe between the fixed and the exploit you would have been okay all right so if you very exploited how to remediate the only answer here is not install anything less then the net install is not a fix big cause this was an RC remote code execution the underlying Linux was compromised this means the attackers can easily create hidden partitions they can load things into the init system of Linux they can do all kinds of things with just just a configuration reset will not fix I have seen myself routers which you reset the configuration of system reset configuration doesn't matter even if you do no default doesn't matter as soon as the router has connectivity to the road we will see one megabit of uplink traffic you have zero configuration router s but you torch the interface and you see traffic in torch because it is a traffic on the interface you see in torch so the only answer how to remediate is not install it's the only answer if there was an RC you have to not install to make sure you have a clean system and this is because what net install does it actually formats the flash and then installs a clean router s so when you format the flash or even if it's in a hidden partition or whatever that goes away and you have a clean system so that's the only social all right so while all of this was happening let's switch gears a little bit and let's talk about the second exploit that came in during doing the VPN filter era and that exploit was actually a VIN box client-side exploit which means you could attack the administrator's workstation through an infected router so this is a completely different attack because now we are attacking the administrator's workstations themselves so how does how does this work so as we mentioned while Jim I read module 1 VPN filter was going wild on the internet a new exploit was discovered which is a malicious DLL delivery driven box so basically how VIN box worked in the past tense because this has now been since fixed also so VIN box would load and execute arbitrary dll's delivered as part of connecting to older router s versions so this was a legacy connection mechanism so this was in VIN box version 3 then connecting to router as version 5 routers so as part of how will box worked with version 5 the router itself sent dll's to vin box and vin box loaded and executed those dll's that were delivered from the router as i said this this was in version 5 not in version 6 anymore inertia at 6 the router doesn't set any dll's to vin box anymore but vin box still supported this for backwards compatibility of connecting to all the routers with the new VIN box so sadly no signing or verification of the delivered dll's was done and this allowed arbitrary code execution on the system running pin box so this as we mentioned is an attack on the computer of the admin connecting to the mikrotik so in effect somebody could compromise your PC just by having you connect to a malicious router with VIN box so let's visualize this and that's fairly simple you just have an infected mikrotik you cannae you connect with VIN box to the infected mikrotik and suddenly your pc has been pawned so yeah malicious deals were delivered from the infected mikrotik those deals were loaded and executed by VIN box and now you have a rootkit on your personal computer so when they disappear actually in March 2018 the first VIN box DLL injection exploits were discovered running in the wild so how this worked it was a two-stage exploit so Jim I read was used to deliver payload to the router and then when the administrator connected to the router with VIN box that was used as a second stage to deliver malicious DLL to the computer and in fact the administrator's computer so it's a two-stage exploit so my critics response as always mikrotik responded very fast a new version of VIN box was released in short order in a matter of days after this has gone public and VIN box does not support loading deals anymore at all this has a side effect in that connecting to older router res devices is no longer possible with newer versions of in box so newer versions of VIN box be free cannot connect the router as v5 anymore because they simply do not accept dll's at all so what was the impact of this well the impact is actually unknown but is very likely to be extremely small first of all because this was a two-stage exploit second of all because VPN filter mikrotik was not really affected that much by it so yeah it's a two-stage exploit and you have to somehow coax the admin to connect to an exploited router but it is speculated and there is some research by security researchers that shows that this attack was actually used as a very narrow targeted focused attacks against specific state by specific state actors against specific targets so these are just rumors there is of course no official confirmations with this there is just security researchers who try to figure out what happened and how it happened so you are very unlikely to have been affected by this it was just very focused and specific attacks but by you know against a certain group of people so how could you have defend it well first of all keep your VIN box up-to-date if you update VIN bugs your nono no longer and vulnerable second of all protect your router so that it doesn't get seeded with malicious dll's as we mentioned this was a two stage attacks so if your router couldn't get exploited you could have never got exploited further using the second stage and number three don't connect to unknown routers because if you connect to an unknown router you don't know what the state of that the router is and therefore it could be used to seed those motions to us so just to break it out a little bit so nobody falls asleep how many of you use putty slash Venus CP alright almost everyone Wow great so just so you don't think that this is mikrotik specific attacks aimed at the admin workstation are not limited to mikrotik and VIN box just because this happened to VIN box doesn't mean that it doesn't happen somewhere else specifically March this year two weeks ago multiple high severity vulnerabilities were announced in putty so these actually allow an attacker to deliver malicious payloads to your workstation just by having you connect to a SSH session using putty so this is not just a VIN box Fink the and you will again this will be a recurring thing through this presentation security is complicated and and you have to really watch every step of what you are doing and make sure you're up to date at everything so this is not mikrotik specific you could be getting a rootkit on your personal computer today if your party version is not up to date because two weeks ago yeah and this is the same for SCP by the way I have fixed versions here for you so this was patched in putty zero seven one which came out two weeks ago and in vin SCP 5.15 which came out about two days after the putty fixes so if you are here please update your putty please update your VIN VIN SCP please update your kitty Rotti and M remote ng and all the other suit of softwares that use putty at the back end which you may not even know about and don't connect to unknown routers and unknown SSH services because it's it's it's sadly that's the state of security that we live in that simply by opening an SSH session you might get the rootkit delivered to your computer alright so how to remediate this is a complicated one so since the attack was actually done against the OS of the administrator's workstation remediation paths are not simple here and the reinstalling your operating system might not be enough and most probably if you are ever exploited by this or installing your system will not be enough because malware can commonly hide in MBR in recovery partitions even in BIOS and specifically even in cheap firmer malware can these days hide inside of your processor and how that happens is especially with the recent meltdown specter rise and fall master key for shadow there has been a lot of security things happening lately in the world and so yeah malware can actually hide in your processors cheap firmware so how to remediate a user workstation really infected by a rootkit alright my ver malware is way out of scope of this presentation if you want the simple answer get a new computer yeah alright so to switch it up a little bit as time progressed and all of these things were happening we now come to the biggest happening in the micro tech security world in Inever which is the VIN box arbitrary file read vulnerability how are we doing on time not bad alright so basically this was what was called module 2 of Chima I read and module 2 of Chima I read aloud arbitrary file read through VIN box so just by seeing TCP port 80 to 91 open the VIN box port if it was reachable to me I could read any files on the router through this vulnerability so all of the previously discussed exploits were rather low impact compared to this and compared to what was what has been happening in the last six to eight months so let's talk about the current situation because Navi these exploits are running in the wild even right now as we speak so let's let's talk about what's happening and what's happening the vault and how it works and why etc so Jim I read module to allowed arbitrary file access through a VIN box vulnerability so essentially this allowed anyone to retrieve the contents of the file system and I'm not talking router OS files I'm talking the underlying Linux file system just by seeing the VIN box port open and as it turns out then you can read the file system one of the files on the file system is the username password database so just by saying VIN box port open I could now suddenly read the user database pull the router date pull the router user database and into the database I had a username password which now I could use to actually open VIN box session to manage the router or even SSH or anything so yeah this was called the VIN box directory traversal vulnerability and it allowed on authenticated attackers to retrieve the user database of the router and after days they could connect through any management service because they had now valid usernames and passwords they could just connect to your router and do whatever they wanted to do inside mikrotik router was so essentially if I saw TCP 82 91 the VIN box open I own the router it was mine and so in the first days of August 2018 was when this particular attack vector started being really massively utilized and a botnet attack successfully exploited over 200,000 routers in Latin America this was the first wave of mass routers exploits slash attacks and yeah that was the first time the VIN box vulnerability was was used so what was my critics response ha do you see the recurring pattern yet this was patched half a year before it was used to exploit all of those routers so here are the patched versions so this was fixed for half a year and yet it managed to successfully exploit 200,000 routers in its first week of public exploitation across the internet that's just the first week now we are going to get a little bit further so there are actually many different variations of malvern running wild using chim I read module 2 v or I know of at least 6 different separate families of malware that are distributed by various botnets and so what was the impact the impact was huge yeah it was huge it turned out many many many routers had the VIN box port publicly accessible to the Internet in Latin America alone 200,000 routers exploited and since the discovery of this original exploits security researchers estimate around 600,000 mikrotik routers around the world have been exploited by Jim I read module 2 and currently as we are speaking there are about 400,000 plus routers still vulnerable waiting on the internet to be exploited so the impact here is huge so let's talk about let's talk a little bit about what the attackers actually did once they had access to these routers so what did the malware do what was the point and so what started the original variant 1 what I call the original attack family and its goal was very simple to mine cryptocurrency to make money so the original mother wave inserted crypto mining JavaScript into any website visited by the client behind the router very simple you browsed the internet behind an infected router you were mining Manero Manero is one of the cryptocurrencies out there which can be mined in JavaScript so you browse the Internet and you mind Monaro for the attackers attackers were slowly identified and caught so multiple Manero wallets were identified some were seized there was a lot of drama on the internet that it as it happens and it was generally not fun for the people affected by this so how was this done so at this point in time as we mentioned this was in August in first days of August 2018 so like half a year ago at this point at this point in time this particular vulnerability the the directory traversal vulnerability was only the attackers were only able to gain router us access this changed later but let's let's leave later for later so at this particular point this utilizing the this attack vector gave the attackers access to router OS and by having access to router s they enabled a web proxy net rules were inserted to transparently redirect any web traffic to the web proxy real sneaky real smart so then multiple scripts were put on the router that served as command and control delivery methods so schedule very configured to pull configuration from C&C servers which gave the basically the attackers a way to update the payloads on the router and yeah so what's visualized this it was rather simple there was any computer behind an infected router wanted to go to the Internet on the router you had a net redirect rule which transparently redirected that web traffic to the web proxy then traffic or the actual webpage was retrieved but on or when it was retrieved the malicious JavaScript was inserted into the web page and passed to the client and therefore client completely unbeknownst to the client was getting injected the my the mining JavaScript into all of his web traffic so what were the common symptoms on the exploited routers there was a service user that was created a bunch of new scripts were added to the routers a new scheduler entry was added which served as the way to refresh you know for the command and control to pull new configurations that proxy was enabled NAT and firewalls were modified and the attackers were very nice to set your lock size to one just so we wouldn't know what has happened to your router so that was the first generation soon after literally a couple of weeks after the first generation of attacks the attacks started evolving and what what came next was what I personally call the second generation of attacks which was even more sophisticated because it set up socks on the router and by setting up a socks proxy on the router this allowed attackers direct access to the local network behind the router through the socks proxy and the proxy was also used to attack third-party services anonymously so what's visualize these two attacks or okay how was this done before that so yeah easy socks proxy was turned on and if any of you know what socks proxy is it is a proxy that can proxy arbitrary packets to the inside of the network or at least that's how it was used in in this particular eight so basically attackers could directly attack machines on the land you know doesn't matter if the machine has a private IP address none of it matters there is a socks proxy you can attack him directly and the internal net for it was completely open to the attacker and also as we mentioned having that proxy on the router allowed attackers to anonymously attack third parties so let's visualize it there was attacker on the internet there was an infected mikrotik there was a PC on the local Metro network and the attacker just directly connected and exploited or attacked the local network resources the other option was that attackers used the socks proxy to anonymously attack third party victims and this is because utilizing the proxy masks the attacker to the victim the attack seems to be coming from the infected router all right so symptoms the symptoms were very similar to variant one so service user will set up all of the scripts and schedules and everything were set up but on top of that a socks proxy was enabled and reconfigured to to allow to facilitate those other attacks that we just discussed all right so the attacks were getting much more sophisticated and actually variant 1 and variant 2 soon merged into a single malware attack family and now you could find web proxy and socks and everything else deployed together really commonly and this gives you an idea that either the same attackers were behind both of these particular attack variants or they just got together and shared and pooled their resources or who knows what happened we will never know all right so variant free so not long after the first generation came more new attacks and more new variants the attackers were getting really crafty at this point and so this time for variant free DNS interception and redirection was the goal as it turns out when you have control of the router you can unable to be in a server and then you can use a malicious dns upstream server basically you buy this gained complete control of traffic routing from the client and on top of this in that you set a transparent DNS hijack so basically redirect all tcp UDP 53 free traffic to the router so it didn't matter if the local network used a date a date or 1 1 1 1 1 for their dns nope all DNS requests were transparently hijacked and redirected to the DNS server on the router which then used malicious upstream DNS servers and by this way the attackers gained complete control of traffic routing from the local network so this is pretty scary as you can imagine because now the attacker literally controls all the traffic flows out from the network behind the infected router so if your ISP if you are an ISP which you probably are being here if your edge router got exploited your entire network downstream all of your customers we're at the complete mercy of the attackers and attackers could do forward the traffic and route the traffic route not from a networking perspective I hope you know what I mean here wherever they want and there are so many possible attacks here that that you could bootstrap by this mechanism you know did you go to your internet banking web page well you might think you have because the DNS right the fqdn is right but where is the traffic really going if your DNS is compromised it can go anywhere so there are so many social engineering attacks there are so many phishing attacks that can be done it's ridiculous all right so let's visualize this well a client wants to go to a web site and therefore the client needs to resolve the DNS into an IP address so he wants to go to his actual configure DNS server which might be Google or one on one on one well the infected router just captures the traffic forwarded to a malicious DNS server and returns the response which is completely malicious back to the client so actually and since this second generation of since this third variant of exploits many more variants of exploits have appeared in the wild we even saw some super crazy variants of exploits that actually used the MAC address of Ethernet 1 as an identifier so they could control in the payload delivery to individual routers or they could target geographically target specific routers and and instructed them to do different things it's quite crazy and quite crafty what the attackers can come up with and so we had this basically allow the attackers to focus attacks on individual people even or individual network locations or geo focused attacks etc etc so then the attackers got even more crafty so as it turns out when you have control of the router you can see the traffic passing through the router so there was another new variant of exploit and this time this time capture of unencrypted traffic passing through the router was the objective of the attackers so any telnet FTP pop/imap SMTP HTTP SNMP any unencrypted traffic going through the router was captured usernames and passwords were stripped out and sent to the attackers so if you went to your email server or your email through an infected router and it was not secured using TLS immediately the attackers would have your email credentials so visual visualization here is again simple any PC on the local network behind the infected router goes to an email server or goes to an HTTP website that traffic is captured analyzed and usernames passwords are sent to the attackers so altogether now as we mentioned in most or as we said this is running on the Internet life even right now so this is all happening as we speak and is most current active exploit attack patterns are staying the same as what we have just discussed so web traffic interception and injection using HTTP proxy using Sox to proxy attacks directly into the local network or redirect traffic DNS hijacking to redirect traffic we captured four unencrypted protocols all of this is happening right now on the internet so signs of infection this is just a summary of everything that we have just discussed so I'm just going to skip this so how could you have defended this is some scary stuff how could you have defended against this well I I don't like to repeat myself but I have to well if only you had firewall so all of this would have not been possible if the management services on the router were properly protected using a firewall so do not allow public access to the VIN box service that's it that's the only thing that that that's needed to be safe so we are secure access to your inbox with an address list user management VPN use port knocking use whatever just don't open your management service on the router to the public internet and make sure your router is is up-to-date as we have mentioned this was fixed for half a year by my critic before it started getting utilized for attacks around the internet so yeah I I'm sorry I just have to repeat what I said my critic default configurations were never affected if anybody was affected I don't want to put blame I don't want to point fingers but we have to accept the fact that if anybody was accepted was affected it really was because the router was configured in an unsecured way all right so a little side note how to protect yourself configuration change notifications it's very simple all of these attacks relied on changing the configuration of the router so if you have configuration change notifications you would have known your router got exploited so make sure you have some configuration management such monitoring solution in your network a little plug for myself here sorry check out enemies it's exactly what we do so if if you had configuration change notifications you would have known that something was done to a router and you would have seen that there were sock socks proxy and web proxy and all of that enabled which hopefully would have you know tick to you of that something is not as it should have been alright so how to remediate so for variant 1 & 2 we actually have a blog article on unum s dotnet on our blog there is tons of commands there is like a ton of mikrotik router s commands that basically disinfect your router quote quote for generation 2 so the DNS attacks fix DNS and fix net check out the article if you want to know more alright so for newer exploits remediation is actually more complicated because you have to check the entire configuration of the router for things that should not be there like the traffic capture through through my critiques traffic sniffer etc etc etc so check your entire configuration if you want to be safe just not installed and they're configured from scratch optionally again I have to say have backups have backups of your network if you have a backup simply recover from a backup before the infection point I'm sorry I have to plug in amis again because it's one of the things that we do but have some kind of a backup solution in your network like UNIMAS or others that are out there all right super important change passwords as we mentioned the user database of the router was leaked or was captured by the attacker through the directory traversal vulnerability and I have seen so many people complaining on the Internet oh hi updated router Oh as I implemented this and dead and I'm not installed and I reconfigured my routers and two hours later it was reinfected stupid mikrotik it didn't really fix your crap well no if you don't change your username password the attacker has your username password you can reset the router and reconfigure it if you don't change the username and password you will get reinfected again because the attacker captures captured those usernames passwords in the first place so make sure to update your usernames passwords alright so as time went on things got even more serious because until October or up until October the the directory traversal vulnerability up until October could only be used to retrieve that user database from the router but in October 2018 there was a new a new discovery how to use this directory travel server owner ability for RCE for remote code execution and this means that since October 2018 figs have gotten much more dire so what's happening as we mentioned around 400,000 my critics around the world are still vulnerable and now that the remote code execution exploit exists through the directory traversal vulnerability it opens a whole new world of possibilities to the attackers because it means that now just by seeing TCP 20 to 80 and 91 the VIN box port just by seeing the Vil box Perl open I own the router completely I have access to the underlying Linux now and so yeah attackers will be able to install crypto mining software directly on the routers so your routers might now be mining crypto for the attackers the attackers can install malware that won't go wave and resetting the configuration as we mentioned they can set up hidden partitions they can change the init scripts and the init system inside of the router there is all kinds of stuff they can attack the local network directly from the router they can install whatever they what they want on the router and attack the network they can attack the ISPs infrastructure directly from the routers of their customers etc etc etc there is so many things so as we have said before if your router has ever got compromised or will be compromised in the coming days the only way to be safe is to not install the router because there is an RC e and using the RC the attackers have access to the underlying Linux so the only way to be safe is to not install so now let's go even further so in February 2019 yet another new exploit was published and this one was utilizing the dude' agent there is a dude agent inside of the system router s package a vulnerability was discovered a loving arbitrary packet forwarding to the internal network using the dude agent so this allows the attacker to attack the internal network through a mikrotik just by saying again just by seeing the VIN box port open so what is the answer have firewall don't expose the window VIN box port to the public Internet so visualization is super simple there is an attack server on the Internet there is a vulnerable mikrotik and the attack server directly attacks the local network through this vulnerability as the story goes and as the repetition goes this has already been fixed and patched by mikrotik for your information these are the fixed versions so this is already fixed make sure you are up-to-date or you have a firewall and now we go to last week so last week a new ipv6 vulnerability was discovered and published on the Internet this one however it's just a do s vulnerability a denial of service not a remote code execution vulnerability and this particular one basically a router reboot can be triggered with specifically crafted ipv6 packets and as the story goes yet again this has been patched by my critic so make sure you're up to date if you are running ipv6 this basically means that anybody can reboot your router and so please make sure you update please make sure you are safe from this this is a rather yeah so what are your takes away takeaways from this presentation what what should you do to be safe and and to not fall to any of these things well first of all secure the management ports on your routers it's that simple it's what I mentioned and what I have been sadly repeating from the start just have firewall and update your router s and update your VIN box not install all the affected routers and make sure to change passwords on all the routers that are ever affected by any of the exploit and have configuration change notifications have backups have you Nima's or something similar that does this for you which makes it much easier to spot when this happens to your network and makes it much easier to recover when this happens to your network so that's it how are we doing on time okay we don't have time for any questions sorry if you have any questions just come and see me I am down there at the booth I will happily talk to you so some additional resources as I mentioned I have a YouTube channel all of my videos I really like doing technical in-depth presentations I have stuff on IP Saigon MPLS VPN s automation you can find all of that in my youtube channel I am a part of the brothers with as you saw on the previous panel bi-weekly networking podcast so give us give us a listen to if you like and thank you very much for your attention if you have even one to talk about this if you have any question just find me down there at the universe booth thank you [Applause]
Info
Channel: MikroTik
Views: 1,585
Rating: 4.8709679 out of 5
Keywords: mikrotik, routerboard, routeros, latvia
Id: c2JxTHgxsqg
Channel Id: undefined
Length: 50min 8sec (3008 seconds)
Published: Tue Apr 09 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.