<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Since MikroTik came up as a subject (I’m a fan of theirs BTW), I thought I’d inform those here who may not already know about the recently discovered MikroTik vulnerability that enables attackers to use their Wireless Access Points (WAPs) and routers to obfuscate communications between the infamous TrickBot malware and its Command & Control (C2) server (CVE-2018-14847). This has the potential for using HamWan, including client antenna/routers, as an entry point for exploitation for home networks and their attached Windows machines in particular.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>TrickBot and their attackers accomplish this by using the SSH protocol to pipe commands remotely, and are able to infect MikroTik devices because they are among the rare ones that use Linux-based OS plus they allow certain terminal command shell syntax that most other Linux shells do not allow. Among the other changes the attacker makes to the router and WAP is changing the admin password to prevent legit admins from regaining control. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>To protect against this vulnerability in MikroTik products, make sure they are patched with their latest OS firmware (6.42 or higher), remote access is turned off when not needed, strong passwords and ideally token certificates are used for remote access. Microsoft discovered this exploit and has released a tool for detecting related TrickBot activity which wise people should run if they do not already have a robust network monitoring tool that detects this traffic and network device changes.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>More info: <a href="https://arstechnica.com/information-technology/2022/03/trickbot-is-using-mikrotik-routers-to-ply-its-trade-now-we-know-why/">https://arstechnica.com/information-technology/2022/03/trickbot-is-using-mikrotik-routers-to-ply-its-trade-now-we-know-why/</a> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Stephen Kangas MSCSIA, W9SK<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> PSDR <psdr-bounces@hamwan.org> <b>On Behalf Of </b>Tom Hayward<br><b>Sent:</b> Friday, March 18, 2022 9:21 AM<br><b>To:</b> Puget Sound Data Ring <psdr@hamwan.org><br><b>Subject:</b> Re: [HamWAN PSDR] RANCID with mikrotik?<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Mar 17, 2022 at 11:54 PM Bryan Fields <<a href="mailto:Bryan@bryanfields.net" target="_blank">Bryan@bryanfields.net</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>Are you all running this up there?<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We're running sort of an in-house equivalent to RANCID. It's just a bash script that does an /export and commits to a git repo:<o:p></o:p></p></div><div><p class=MsoNormal><a href="https://github.com/kd7lxl/mikrotik-backup" target="_blank">https://github.com/kd7lxl/mikrotik-backup</a> <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It uses SSH with key auth.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It seems to still work.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>Tom<o:p></o:p></p></div></body></html>