We've found interesting new traffic within our Honeytrap agents, originating from servers within Russia only (to be specific, the netblock owned by NKS / NCNET Broadband). The username and password combination being used is root / root, and they are executing all of the following ssh commands:
While searching for the "/ip cloud print" command, I've found this command to be related to Microtik routers. Since RouterOS v6.27 the command has been changed, so the targetted devices are Microtik routers running RouterOS before v6.27. The username and password pair being used to gain access isn't a specific Microtik default username / password combination. Because not all of the above commands are programmed to return the output expected by the script, it could be just probing for specifics about the attacked server. One command we are not seeing very often is the check for Android databases, " Another interesting command is the " All ip addresses are located roughly at the same netblock / location, which could be an indication that this worm / script is explicitly targetting a vulnerability in the routers being used by the provider, while scanning a broader area not limited to their netblock(s). Complete list of source addresses:
Let me know if you have additional information about this case. Remco Verhoef (@remco_verhoef) |
Remco 26 Posts ISC Handler Jun 13th 2018 |
Thread locked Subscribe |
Jun 13th 2018 4 years ago |
Hey there,
This is certainly an interesting find, and which seems to be a massive push to create a massive bot-net if this is part of the same group that is also doing this: https://blog.talosintelligence.com/2018/06/vpnfilter-update.html and this: https://www.us-cert.gov/ncas/alerts/TA18-106A or I could be just paranoid and connecting dots where they do not fit? |
Anonymous |
Quote |
Jun 13th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!