<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body><div><div style="font-family: Calibri,sans-serif; font-size: 11pt;">Might be related to the recent US-CERT advisory...<br><br>National Cyber Awareness System:<br><br> <br><br>TA18-086A: Brute Force Attacks Conducted by Cyber Actors<br>03/27/2018 06:00 PM EDT<br><br><br>Original release date: March 27, 2018<br><br>Systems Affected<br>Networked systems<br><br></div></div><div dir="ltr"><hr><span style="font-family: Calibri,sans-serif; font-size: 11pt; font-weight: bold;">From: </span><span style="font-family: Calibri,sans-serif; font-size: 11pt;"><a href="mailto:tom@tomh.us">Tom Hayward</a></span><br><span style="font-family: Calibri,sans-serif; font-size: 11pt; font-weight: bold;">Sent: </span><span style="font-family: Calibri,sans-serif; font-size: 11pt;">3/24/2018 5:29 PM</span><br><span style="font-family: Calibri,sans-serif; font-size: 11pt; font-weight: bold;">To: </span><span style="font-family: Calibri,sans-serif; font-size: 11pt;"><a href="mailto:psdr@hamwan.org">Puget Sound Data Ring</a></span><br><span style="font-family: Calibri,sans-serif; font-size: 11pt; font-weight: bold;">Subject: </span><span style="font-family: Calibri,sans-serif; font-size: 11pt;">[HamWAN PSDR] OPP outage and vulnerability warning</span><br><br></div><div dir="ltr">This morning I discovered a bunch of failed login attempts to HamWAN routers coming from other HamWAN routers. When checking the list of logged in users, there weren't any. Apparently something was able to remotely execute code on HamWAN routers without logging in. I think it may be related to this: <a href="https://forum.mikrotik.com/viewtopic.php?t=119255">https://forum.mikrotik.com/viewtopic.php?t=119255</a>. Nigel and I worked to identify the traffic and patch the hole. We were able to stop it through a combination of firewall rules, disabling services, and upgrading software.<div><br></div><div>One casualty is that upgrading the software on Seattle-ER1 broke the OPP IPsec configuration. We haven't figured out how to fix this, so OPP is down for now.</div><div><br></div><div>To protect your equipment from this exploit, you can disable unnecessary services like this:</div><div><br></div><div><div><font face="monospace, monospace">/ip service disable telnet,ftp,www,api,winbox,api-ssl</font></div></div><div><br></div><div>Make sure to do this from SSH so that you know it's working before disabling Winbox!</div><div><br></div><div>This is a reminder of the importance of strict firewall rules. Nigel is a wise man.</div><div><br></div><div>Tom</div></div>
</body></html>