Network equipment manufacturer MikroTik has called on users to patch an old vulnerability in its RouterOS software that is being exploited by a botnet. That uses an exploit that came out in the Vault 7 dump of CIA tools and techniques.
MikroTik writes in a forum post that a botnet has recently been scouring the internet for MikroTik devices running a vulnerable version of RouterOS. According to the company, a patch was released more than a year ago in the form of version 6.38.5 of the software. Routers with this version are safe, as are devices with port 80 filtered with a firewall. The botnet in question would currently do nothing more than scan and expand itself, but an update would nevertheless be advisable, according to the company.
Text from MikroTik warning
According to the Chinese security company Qihoo 360, the botnet is a Hajime variant. It detects whether a MikroTik device is present on the basis of port 8291 and then attempts to infect via the so-called Chimay Red exploit and add the device to the botnet. This exploit became publicly known because it appeared in the Vault 7 dump, which WikiLeaks published in March of last year. Qihoo 360 writes that it has seen a sharp increase in the number of scans to MikroTik devices from March 25. They come mainly from Brazil, Iran and Russia.
The Hajime malware was discovered in October 2016 by the security company Rapidity. This happened shortly after the source code of the Mirai malware appeared online, which led to the emergence of several variants. At the time, the company wrote that Hajime’s target was “a mystery” because the variant did not contain a module to perform malicious actions, such as a DDO attack. Symantec published an analysis last year stating that Hajime was an attempt to curb the growth of Mirai-like botnets.