Nozomi throws light on security vulnerabilities found in Winbox payload protocol used to configure MikroTik devices

Researchers from industrial cybersecurity firm Nozomi Networks released Friday technical analysis of the core of the Meris botnet capabilities. The team identified that from about 2018 to 2021, the Glupteba botnet, the backbone of the Meris botnet, has been used to infect and turn hundreds of thousands of MikroTik devices into nefarious internet relays. One of the main Glupteba modules used is called WindiGo (aka RanaumBot), which uses the Winbox payload, a proprietary protocol used to configure MikroTik devices. 

“Since Winbox is the root of Meris, it makes sense to take a deeper dive into its functionality,” researchers from Nozomi Networks Labs, wrote in a company blog post. “In this blog, we give a technical analysis of WindiGo and how it exploits CVE-2018-14847 to access MikroTik routers, provide recommendations, and share Indicators of Compromise (IoCs) you can use to protect your networks.”

Nozomi said that upon execution, WindiGo starts by scanning networks to find MikroTik devices with an accessible Winbox port (8291/tcp). “Because Winbox is a MikroTik proprietary protocol used to configure MikroTik devices, it uses the Winbox application, which is a configuration frontend. While conducting our analysis, we identified four different scanning behaviors,” according to the post. 

Latvian company MikroTik develops routers and wireless ISP systems and provides hardware and software for Internet connectivity globally. Its RouterOS software system provides extensive stability, controls, and flexibility for all kinds of data interfaces and routing.

Earlier this year in March, Imperva wrote a blog about a DDoS attack reaching 2.5 million requests per second apparently claimed by the notorious ransomware group REvil. According to Imperva, it is highly likely the Meris botnet was used to carry out this DDoS attack. With the supposed re-emergence of Meris, Nozomi was curious if Meris survived the sinkhole.

In 2018, MicroTik wrote in a blog post that the Winbox server vulnerability in RouterOS was discovered and fixed in RouterOS on April 23, 2018. “Note that although Winbox was used as a point of attack, the vulnerability was in RouterOS. This issue was later assigned a universal identifier CVE-2018-14847. The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file,” it added.

The Nozomi researchers found that the first variant randomly scans 4096 IP addresses. The second variant scans the private network classes A, B, and C but also the Internet Assigned Numbers Authority (IANA) reserved address space 100.64.0.0/10, which is likely an attempt to compromise Internet Service Providers (ISPs) and other service provider systems from within their perimeter.

Additionally, the third variant scans some public networks in addition to the private ones, most of them belonging to telecommunication companies and internet registries in the U.S. and Europe such as AT&T, T-Mobile, and RIPE; telecommunication companies in Brazil, Vietnam, and China are also being targeted. Interestingly, two network blocks stand out, the first one belongs to the U.S. Army Information System Command, and the second to the U.S. Department of Defense Network Information Center. The last variant receives the scan target by fetching ‘/api/request-cidr?uuid=<UUID>’ on its Command & Control (C2) server, the Nozomi researchers revealed.

“Once the scanning starts, if a network device responds to a TCP handshake on the Winbox port then the malware attempts to exploit CVE-2018-14847,” the post said. “This vulnerability leverages an arbitrary file read on MikroTik devices and is used to retrieve the device users’ credential store known as the user[dot]dat file. The sample assembles Winbox packets on the fly with most of the packet data hardcoded within the sample and only small chunks dynamically patched.”

Subsequently, the path traversal becomes apparent in the assembled payload, simplified to ‘/flash/rw/store/user[dot]dat,’ the researchers said. “Exploiting the vulnerability results in the device user[dot]dat file containing the credential store being leaked. We can see the credential store being acquired by the malware. This file contains the accounts registered on the device, usernames, and their encrypted passwords,” they added. 

The researchers assessed that under normal circumstances, additional steps are required to retrieve the passwords from their hashed form, typically through a dictionary or brute force attack. “However, on these older MikroTik devices the password is not hashed but encrypted. First, a key is derived by linking the username and some ‘static salt’ then the result is hashed to produce a key with which the password is XORed. We will skip the cryptography implication of this scheme and move straight to the decryption output in the malware,” they added. 

The researchers also displayed breaking, right after the decryption function execution, and capturing of the decrypted password on the stack.

“The malware also contains its own dictionary of usernames and passwords. The dictionary is relatively small, consisting of 24 usernames and 220 passwords for a total of roughly 5,300 possible combinations,” the Nozomi post said. “These static credentials are used if the password harvesting step fails, typically because the MikroTik router is not vulnerable. Surprisingly the stolen credentials are appended to the bottom of the dictionary. This means that before trying the credentials stolen from the device, the malware will first try to log on using its thousands of static credentials, which is rather inefficient,” it added.

At this point, the malware attempts to register a scheduled task on the device, regardless of whether the password extraction was successful or not. The first infection vector occurs via the Winbox protocol; if the infection fails for whatever reasons (wrong username and password, network communication failure, etc.) the malware fallbacks to SSH and finally to the web API. In any case, the task being added is always the same. 

Nozomi called upon network routers and other network devices not to be openly connected to the internet. “In this case, the attackers came from inside the network perimeter itself—so it’s important to avoid connecting management interfaces with user and application networks. Use proper network segmentation via a dedicated management network or a Zero Trust policy to provide a robust defense against such threats. If you’re using MikroTik devices within your environment, you should make sure that they are up-to-date,” the researchers added. 

The CVE-2018-14847 vulnerability was fixed by MikroTik right after its public disclosure. Additionally, organizations must review the devices’ configurations and ensure strong passwords are being used, as a fully patched device will not protect from a weak or leaked password.

“Finally, ensure you have full visibility of your entire network, by utilizing an asset management tool and an IDS,” the post said. “Alerts on any suspicious network connections and infiltrations will at least give you a chance to detect and mitigate the threat before it causes severe damage. This will also enable and support your security team to effectively respond to the threat,” it added.

Earlier this month, Nozomi found three additional vulnerabilities that affect Mitsubishi Electric GX Works3, which in the worst-case scenario, may lead to the compromise of safety programmable logic controller (PLCs) with the only requirement being the possession of associated GX Works3 project files. Still unpatched by the vendor, the security flaws may allow an attacker to compromise safety PLCs provided that they gain access to one associated GX Works3 project file.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.