[MART] - Daily Diary #472 - TrickBot targeting MikroTik routers

CTAS-MAT ctas-mat at appgate.com
Thu Mar 17 21:01:57 UTC 2022

I hope everyone is doing well!

Below is the entry for today.

03/17/2022 - Diary entry #472

TrickBot Botnet has been covered in many of our Daily Diaries. Most recently, in our Daily Diary #457, we covered how the Conti Syndicate adopted Trickbot in its toolkit. TrickBot is a multi-purpose botnet. It has been used in several attacks to build a network of infected computers inside a private network, moving laterally and deploying modules to exploit vulnerable services, exfiltrate information, and deploy other malware.

A new version of TrickBot has been found compromising MicroTik routers and using them as a proxy for its C&C servers, redirecting traffic in a series of proxy nodes to disguise the real IP address. The MicroTik routers are compromised by using password brute-force attacks or exploiting vulnerabilities (namely, CVE-2018-14847). After getting admin access, it changes the router password to keep access, and then adds a NAT rule to redirect traffic between ports 449 and 80, allowing Trickbot to use the router as a proxy node.

It's not the first time botnets have been found compromising routers to leverage attacks into networks. Routers and other IoT devices are hardly updated by the common user. Therefore, there is a tendency to accumulate vulnerabilities that can be exploited by advanced threats. Besides, it's hard to find security solutions that can find threats or configurations in such devices. We highly recommend companies to keep the firmware of every device in the network up-to-date and to constantly verify their configuration, looking for tampered entries or wrong entries that can be used in an attack.
Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220317/c738be29/attachment.htm>

More information about the MART mailing list