MikroTik Reconnisance Attacks
After a long break, migration to a new information stack, and redrawing of information pipelines, I pulled up the data that is being collected from my honeypot. This simple technique was informative and simple enough to understand what was happening at a glance I figure it would be to write up what I found and some theories about what the threat actor was doing.
Before going any further I want to say that MikroTik routers are fine when configured correctly but like most devices if not configured or misconfigured they can be vulnerable.
Attack Synopsis
After gaining access to the system the attacker will attempt to run multiple commands in order to find out what they are working on. The commands can be found below. First they check to see if they are running on a MikroTik router by using the **/ip cloud print** command which will dump out some valueable information about the hardware and software running on that router. MikroTik routers have been known to have insecure default configurations that made them vulnerable and an asset to crypto miners they made their way into the headlines in 2018 You can read more about this from the Avast blog [MikroTik Mayham.](https://blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast)
Next the attacker checks to see what network interfaces there are on the system which is most likely an attempt to find out what kind of infrastructure they are running on. Once they see that the system only has a single network interface they attempt to gather some more information about the processor and check to see if there is already a cryptominer installed.
The last step before discovering they are running on a bunk system is to check to see if they are running on an android system by running through some common files, directories and executables found on android systems.
Once they find nothing they run the **echo Hi | cat -n** command as a signature and a little message to the defender, how kind.
You can read another blog detailing some more information about this exact attack by malwaremily on Medium named [Honeypot Logs: A Botnet's Search for Mikrotik Routers](https://malwaremily.medium.com/honeypot-logs-a-botnets-search-for-mikrotik-routers-48e69e110e52)
Some other observations about the attacker
After reviewing the IP address geolocation information and doing a historical information search on these IP addresses I came to the following conclusions.
- around 40% a half of these attacks/scans are being launched out of South Korea.
- There is no specific system type that was compromised and became part of the botnet
- The systems that are part of the botnet network are coming from Telecom providers which means that most likely they are being launched from compromised routers and home servers.
What can be done?
Restrict remote access to your router, there is no good reason I can think of to allow administrative access to your home router to the whole internet. If you absolutley must open it up then be selective and only allow known good hosts that you control to access the device remotely. If your router does not allow for IP blocking of administrative access then I hate to say it but you might want to look into getting a new router.
Attacker Commands
/ip cloud print
/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
echo Hi | cat -n
disclaimer: The ideas and statements made in this article are the sole views of Exylum Technical.