Microsoft has released a tool for scanning and detecting MikroTik IoT devices hacked by the Trickbot cybercrime group.
The open source scanner was released after a team of Microsoft Defender for IoT researchers discovered a series of hacker attacks on MikroTik routers, during which attackers configured them so that incoming and outgoing data from infected Trickbot computers were sent to servers controlled by them.
According to experts, hackers are hacking MikroTik devices to strengthen Trickbot’s communication with its C&C servers. In various ways (including by substituting MikroTik factory passwords and bruteforce), the grouping first receives credentials for the gateways. Or it exploits the vulnerability CVE-2018-14847 in devices running RouterOS up to version 6.42. This allows attackers to read arbitrary files, such as user.dat, containing passwords.
Then, in order to maintain permanent access to the router, hackers change the password and use the hacked device to send commands to infected Trickbot systems on the network to run extortionate software, generate cryptocurrency, steal or delete data, etc.
The researchers recorded RouterOS commands sent by hackers to infected devices, special for MikroTik, to configure C&C traffic forwarding, and then tracked them to the source.
“MikroTik devices have a unique OS based on the Linux kernel called RouterOS with a unique SSH shell, which can be accessed via SSH using a registered command set with the prefix /,” the researchers explained.
The scanner proposed by Microsoft connects to MikroTik devices and, among other things, searches for configuration rules for traffic forwarding and port changes that may indicate Trickbot infection.