CVE-2018-14847
published 2018-08-02CVE-2018-14847: MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due…
PriorityP197critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-01
Exploited in the wild
EPSS
96.09%
99.9th percentile
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mikrotik | routeros | <= 6.42 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2018-14847 exploitation by monitoring WinBox (TCP/8291) traffic for directory traversal path patterns containing repeated '../' sequences targeting files outside /rw/disk, particularly attempts to read credential files. ↗
- →Monitor for Winbox protocol messages using SYS_TO command 7 (unauthenticated) or command 1 (file open for write) with path traversal strings — these are the specific commands exploited in CVE-2018-14847. ↗
- →Hunt for VPNFilter-related MikroTik exploitation by decoding the Winbox binary protocol on TCP/8291 and looking for traversal path strings such as '//./.././.././../' in message field s1. ↗
- →Detect Glupteba router exploitation activity by monitoring for outbound connections from MikroTik routers to nxtfdata[.]xyz and for SOCKS proxy configuration changes on compromised routers. ↗
- →Detect VPNFilter htpx module on compromised routers by looking for iptables rules redirecting TCP/80 to port 8888 and the presence of the /var/run/htpx.pid file. ↗
- →Detect VPNFilter ndbr SSH backdoor module by monitoring for unexpected SSH listener on TCP/63914 and presence of key files /db_key and /cli_key on MikroTik devices. ↗
- →Flag HTTP requests with User-Agent 'curl53' as a VPNFilter htpx C2 beacon indicator. ↗
- ·CVE-2018-14847 was patched by MikroTik in April 2018; however, as of October 2018 nearly 70% of fingerprinted routers remained unpatched. Detections should prioritize RouterOS versions through 6.42. ↗
- ·The traversal vulnerability is exploitable both unauthenticated (command 7, read) and authenticated (command 1, write) over the WinBox protocol; detection rules must cover both read and write exploitation paths. ↗
- ·The related CVE-2019-3943 (fileman binary, SYS_TO 72) uses the same traversal logic as CVE-2018-14847 but requires authentication and is reachable over both HTTP and Winbox (8291); detections for path traversal patterns apply to both CVEs. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
MikroTik Router OS Directory Traversal Vulnerability
cisa·2021-12-01·CVSS 9.1
CVE-2018-14847 [CRITICAL] CWE-22 MikroTik Router OS Directory Traversal Vulnerability
Vulnerability: MikroTik Router OS Directory Traversal Vulnerability
Affected: MikroTik RouterOS
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-14847
Remediation Due Date: 2022-06-01
GHSA
GHSA-j583-4cfp-xf9m: MikroTik RouterOS through 6
ghsa_unreviewed·2022-05-14
CVE-2018-14847 [CRITICAL] CWE-22 GHSA-j583-4cfp-xf9m: MikroTik RouterOS through 6
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
VulnCheck
MikroTik Router OS Directory Traversal Vulnerability
vulncheck·2018·CVSS 9.1
CVE-2018-14847 [CRITICAL] CWE-22 MikroTik Router OS Directory Traversal Vulnerability
MikroTik Router OS Directory Traversal Vulnerability
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
Affected: MikroTik RouterOS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://blog.mikrotik.com/security/meris-botnet.html; https://blog.cloudflare.com/meris-botnet/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.microsoft.com/en-us/security/blog/2022/03/16/un
Suricata
ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)
suricata·2018-08-06·CVSS 9.1
CVE-2018-14847 [CRITICAL] ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)
ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)"; flow:established,to_server; content:"|680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f73746f72652f757365722e6461740200ff88020000000000080000000100ff8802000200000002000000|"; offset:0; reference:url,github.com/mrmtwoj/0day-mikrotik; reference:url,www.helpnetsecurity.com/2018/08/03/mikrotik-cryptojacking-campaign; reference:cve,2018-14847; classtype:attempted-admin; sid:2025972; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_08_06, cve CVE_2018_14847, deployment Perimeter, confidence Medium, signature_severity
Exploit-DB
MicroTik RouterOS < 6.43rc3 - Remote Root
exploitdb·2018-10-10·CVSS 9.1
CVE-2018-14847 [CRITICAL] MicroTik RouterOS < 6.43rc3 - Remote Root
MicroTik RouterOS
#include
#include
#include
#include
#include "winbox_session.hpp"
#include "winbox_message.hpp"
#include "md5.hpp"
namespace
{
const char s_version[] = "By the Way 1.0.0";
/*!
* Parses the command line arguments. The program will always use two
* parameters (ip and winbox port) but the port will default to 8291 if
* not present on the CLI
*
* \param[in] p_arg_count the number of arguments on the command line
* \param[in] p_arg_array the arguments passed on the command line
* \param[in,out] p_ip the ip address to connect to
* \param[in,out] p_winbox_port the winbox port to connect to
* \return true if we have valid ip and ports. false otherwise.
*/
bool parseCommandLine(int p_arg_count, const char* p_arg_array[],
std::string& p_ip, std::string& p_winbox_port)
{
boost::p
Exploit-DB
Mikrotik WinBox 6.42 - Credential Disclosure (golang)
exploitdb·2018-08-17·CVSS 9.1
CVE-2018-14847 [CRITICAL] Mikrotik WinBox 6.42 - Credential Disclosure (golang)
Mikrotik WinBox 6.42 - Credential Disclosure (golang)
---
/*
# Title: Mikrotik WinBox 6.42 - Credential Disclosure ( golang edition )
# Author: Maxim Yefimenko ( @slider )
# Date: 2018-08-06
# Sotware Link: https://mikrotik.com/download
# Vendor Page: https://www.mikrotik.com/
# Version: 6.29 - 6.42
# Tested on: Fedora 28 \ Debian 9 \ Windows 10 \ Android ( wherever it was possible to compile.. it's golang ^_^ )
# CVE: CVE-2018-14847
# References:
# ( Alireza Mosajjal ) https://github.com/mosajjal https://n0p.me/winbox-bug-dissection/
# ( BasuCert ) https://github.com/BasuCert/WinboxPoC
# ( manio ) https://github.com/manio/mtpass/blob/master/mtpass.cpp
# and special thanks to Dmitriy_Area51
*/
package main
import (
"crypto/md5"
"fmt"
"net"
"os"
"strings"
"time"
)
var (
a = []byte{0x
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-08-19
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
blogs_tenable·2022-08-04
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Zscaler
Glupteba Campaign Exploits MikroTik Routers | blog
blogs_zscaler·2020-05-14
Glupteba Campaign Exploits MikroTik Routers | blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Trendmicro
Glupteba Hits Routers and Updates C&C Servers
blogs_trendmicro·2019-09-04·CVSS 9.1
[CRITICAL] Glupteba Hits Routers and Updates C&C Servers
Ciberamenazas
## Glupteba Hits Routers and Updates C&C Servers
After looking into the recent variant of the Glupteba dropper delivered from a malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware—a browser stealer and a router exploiter.
By: Jaromir Horejsi, Joseph C Chen Sep 04, 2019 Read time: ( words)
Save to Folio
We recently caught a malvertising attack distributing the malware Glupteba . This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the w
Trendmicro
Glupteba Hits Routers and Updates C&C Servers
blogs_trendmicro·2019-09-04·CVSS 9.1
[CRITICAL] Glupteba Hits Routers and Updates C&C Servers
Minacce cyber
## Glupteba Hits Routers and Updates C&C Servers
After looking into the recent variant of the Glupteba dropper delivered from a malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware—a browser stealer and a router exploiter.
By: Jaromir Horejsi, Joseph C Chen Sep 04, 2019 Read time: ( words)
Save to Folio
We recently caught a malvertising attack distributing the malware Glupteba . This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the w
Trendmicro
Glupteba Hits Routers and Updates C&C Servers
blogs_trendmicro·2019-09-04·CVSS 9.1
[CRITICAL] Glupteba Hits Routers and Updates C&C Servers
Cyberbedrohungen
## Glupteba Hits Routers and Updates C&C Servers
After looking into the recent variant of the Glupteba dropper delivered from a malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware—a browser stealer and a router exploiter.
By: Jaromir Horejsi, Joseph C Chen Sep 04, 2019 Read time: ( words)
Save to Folio
We recently caught a malvertising attack distributing the malware Glupteba . This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in th
Trendmicro
Glupteba Hits Routers and Updates C&C Servers
blogs_trendmicro·2019-09-04·CVSS 9.1
[CRITICAL] Glupteba Hits Routers and Updates C&C Servers
Cyber Threats
## Glupteba Hits Routers and Updates C&C Servers
After looking into the recent variant of the Glupteba dropper delivered from a malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware—a browser stealer and a router exploiter.
By: Jaromir Horejsi, Joseph C Chen Sep 04, 2019 Read time: ( words)
Save to Folio
We recently caught a malvertising attack distributing the malware Glupteba . This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the w
Trendmicro
Glupteba Hits Routers and Updates C&C Servers
blogs_trendmicro·2019-09-04·CVSS 9.1
[CRITICAL] Glupteba Hits Routers and Updates C&C Servers
Cyber Threats
# Glupteba Hits Routers and Updates C&C Servers
After looking into the recent variant of the Glupteba dropper delivered from a malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware—a browser stealer and a router exploiter.
By: Jaromir Horejsi, Joseph C Chen
2019/09/04
Read time: ( words)
Save to Folio
We recently caught a malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the wild
Trendmicro
Glupteba Hits Routers and Updates C&C Servers
blogs_trendmicro·2019-09-04·CVSS 9.1
[CRITICAL] Glupteba Hits Routers and Updates C&C Servers
Cyber Threats
## Glupteba Hits Routers and Updates C&C Servers
After looking into the recent variant of the Glupteba dropper delivered from a malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware—a browser stealer and a router exploiter.
By: Jaromir Horejsi, Joseph C Chen 2019/09/04 Read time: ( words)
Save to Folio
We recently caught a malvertising attack distributing the malware Glupteba . This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the wil
Trendmicro
Glupteba Hits Routers and Updates C&C Servers
blogs_trendmicro·2019-09-04·CVSS 9.1
[CRITICAL] Glupteba Hits Routers and Updates C&C Servers
Cyber Threats
## Glupteba Hits Routers and Updates C&C Servers
After looking into the recent variant of the Glupteba dropper delivered from a malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware—a browser stealer and a router exploiter.
By: Jaromir Horejsi, Joseph C Chen Sep 04, 2019 Read time: ( words)
Save to Folio
We recently caught a malvertising attack distributing the malware Glupteba . This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the w
Trendmicro
Glupteba Hits Routers and Updates C&C Servers
blogs_trendmicro·2019-09-04·CVSS 9.1
[CRITICAL] Glupteba Hits Routers and Updates C&C Servers
Cyber Threats
# Glupteba Hits Routers and Updates C&C Servers
After looking into the recent variant of the Glupteba dropper delivered from a malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware—a browser stealer and a router exploiter.
By: Jaromir Horejsi, Joseph C Chen
Sep 04, 2019
Read time: ( words)
Save to Folio
We recently caught a malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the wi
Tenable
MikroTik RouterOS Authenticated Directory Traversal
blogs_tenable·2019-04-08
MikroTik RouterOS Authenticated Directory Traversal
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
MikroTik RouterOS Vulnerabilities: There’s More to CVE-2018-14847
blogs_tenable·2018-10-10·CVSS 9.1
CVE-2018-14847 [CRITICAL] MikroTik RouterOS Vulnerabilities: There’s More to CVE-2018-14847
Blog / Research
Subscribe
# MikroTik RouterOS Vulnerabilities: There’s More to CVE-2018-14847
Tenable Research
October 10, 2018
4 Min Read
In the course of preparing his Derbycon 8.0 presentation on RouterOS vulnerabilities, Tenable Researcher Jacob Baines discovered more to CVE-2018-14847 than originally known. Here’s how it could allow an unauthenticated remote attacker to gain access
to the underlying operating system of MikroTik routers.
While preparing for his Oct. 7 Derbycon 8.0 presentation on RouterOS vulnerabilities, Tenable Researcher Jacob Baines discovered more to
CVE-2018-14847 than originally known, and the new findings elevate the severity of the vulnerability to critical. Baines also found multiple other vulnerabilities unrelated to CVE-2018-14847 in RouterOS, MikroTi
Tenable
MikroTik RouterOS Vulnerabilities: There’s More to CVE-2018-14847
blogs_tenable·2018-10-10·CVSS 9.1
[CRITICAL] MikroTik RouterOS Vulnerabilities: There’s More to CVE-2018-14847
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
VPNFilter III: More Tools for the Swiss Army Knife of Malware
blogs_talos·2018-09-26
VPNFilter III: More Tools for the Swiss Army Knife of Malware
```
# code
```
## Summary
VPNFilter — a multi-stage, modular framework that has infected hundreds of thousands of network devices across the globe — is now known to possess even greater capabilities. Cisco Talos recently discovered seven additional third-stage VPNFilter modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices from footholds on compromised network devices. The new functions also include data filtering and multiple encrypted tunneling capabilities to mask command and control (C2) and data exfiltration traffic. And while we believe our work, and the work of our international coalition of partners, has mostly neutralized the threat from VPNFilter, it can still be difficult to detect in the wild if any devices remain
Talos
VPNFilter III: More Tools for the Swiss Army Knife of Malware
blogs_talos·2018-09-26
VPNFilter III: More Tools for the Swiss Army Knife of Malware
## VPNFilter III: More Tools for the Swiss Army Knife of Malware
# code
## Summary
VPNFilter — a multi-stage, modular framework that has infected hundreds of thousands of network devices across the globe — is now known to possess even greater capabilities. Cisco Talos recently discovered seven additional third-stage VPNFilter modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices from footholds on compromised network devices. The new functions also include data filtering and multiple encrypted tunneling capabilities to mask command and control (C2) and data exfiltration traffic. And while we believe our work, and the work of our international coalition of partners, has mostly neutralized the threat from VPNFilter, it can stil
Recorded Future
Underlying Dimensions of Yemen’s Civil War: Control of the Internet
blogs_recorded_future
Underlying Dimensions of Yemen’s Civil War: Control of the Internet
# Underlying Dimensions of Yemen’s Civil War: Control of the Internet
Scope Note: Sources of this research include the Recorded Future platform, Recorded Future malware detonation, the findings and methods from the Citizen Lab, Shodan, VirusTotal, Censys, ReversingLabs, and third-party metadata. Recorded Future would like to thank Rapid7 and their National Exposure Index in helping quantify the current IP landscape in Yemen. Recorded Future would also like to thank Joe Security for the use of their product to analyze Android device malware samples.
### Executive Summary
In the midst of the ongoing Yemeni civil war, local and international players are waging a secondary war through internet control and other cyber means. Recorded Future’s Insikt Group assesses that dynamics of the Yemeni
Recorded Future
Underlying Dimensions of Yemen’s Civil War: Control of the Internet
blogs_recorded_future
Underlying Dimensions of Yemen’s Civil War: Control of the Internet
## Underlying Dimensions of Yemen’s Civil War: Control of the Internet
Scope Note : Sources of this research include the Recorded Future platform, Recorded Future malware detonation, the findings and methods from the Citizen Lab, Shodan, VirusTotal, Censys, ReversingLabs, and third-party metadata. Recorded Future would like to thank Rapid7 and their National Exposure Index in helping quantify the current IP landscape in Yemen. Recorded Future would also like to thank Joe Security for the use of their product to analyze Android device malware samples.
## Executive Summary
In the midst of the ongoing Yemeni civil war, local and international players are waging a secondary war through internet control and other cyber means. Recorded Future’s Insikt Group assesses that dynamics of the Yemen
arXiv
Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)
arxiv_fulltext·2020-11-03
Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)
empty
## Introduction
Network infrastructure devices have been actively exploited by cyber
actors . A variety of
attacks can be carried out by abusing such devices. In 2018, more than
half a million low-cost routers were infected by the VPNFilter
malware . With a view to disrupting that malware
campaign, the Federal Bureau of Investigation
(FBI) issued an urgent request for users to reboot
their routers. In the same year, there were several other campaigns
aimed at low-cost routers (e.g. GhostDNS malware, Navidade and
SonarDNS) . Infrastructure devices can be used
for last-mile access as well as to manage interdomain routing (BGP).
Half of the core routers used in one of the biggest internet exchanges
in the world (connecting 1467 autonomous
systems) are manufactured by MikroTik. This
m
arXiv
ICLab: A Global, Longitudinal Internet Censorship Measurement Platform
arxiv_fulltext·2019-07-10
ICLab: A Global, Longitudinal Internet Censorship Measurement Platform
: A Global, Longitudinal
Internet Censorship Measurement Platform
Anonymous
Arian Akhavan Niaki1,2
Shinyoung Cho1,2,3
Zachary Weinberg1,4
Nguyen Phong Hoang3
Abbas Razaghpanah3
Nicolas Christin4
Phillipa Gill2
*1ex
22.2in
University of Massachusetts, Amherst
arian, shicho, phillipacs.umass.edu
32.75in
Stony Brook University
shicho, nghoang, arazaghpanahcs.stonybrook.edu
41.6in
Carnegie Mellon University
zackw, nicolasccmu.edu
NoHyper
1Authors contributed equally
NoHyper
## Abstract
Researchers have studied Internet censorship for nearly as long as attempts to
censor contents have taken place. Most studies have however been limited to a
short period of time and/or a few countries; the few exceptions have traded
off detail for breadth of coverage. Collecting enough data for a
comp
https://github.com/BasuCert/WinboxPoChttps://github.com/BigNerd95/WinboxExploithttps://github.com/tenable/routeros/blob/master/bug_hunting_in_routeros_derbycon_2018.pdfhttps://github.com/tenable/routeros/tree/master/poc/bythewayhttps://github.com/tenable/routeros/tree/master/poc/cve_2018_14847https://mikrotik.com/supportsec/winbox-vulnerabilityhttps://n0p.me/winbox-bug-dissection/https://www.exploit-db.com/exploits/45578/https://github.com/BasuCert/WinboxPoChttps://github.com/BigNerd95/WinboxExploithttps://github.com/tenable/routeros/blob/master/bug_hunting_in_routeros_derbycon_2018.pdfhttps://github.com/tenable/routeros/tree/master/poc/bythewayhttps://github.com/tenable/routeros/tree/master/poc/cve_2018_14847https://n0p.me/winbox-bug-dissection/https://www.exploit-db.com/exploits/45578/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-14847
2018-08-02
Published
2021-12-01
Added to CISA KEV
Exploited in the wild