Hello, welcome to the Wednesday, September 5th, 2018 edition of the Sandtonet Storm Center's Stormcast. My name is Johannes Ulrich and I'm recording from Amsterdam, Netherlands. NetLabp 360 has an interesting blog post with some recent attacks against Microtick routers. These attacks take advantage of

a vulnerability that Microtic originally patched, I believe, in April, but CVE, and that would

be CVE 2018-14-847, wasn't assigned until early August.

Now, after the vulnerability was patched by Microtake, lots of details about it became known,

the vulnerability can be used to read arbitrary files, including username and password databases,

and then that information can be used to essentially reconfigure,

or even in some cases, execute code on the router.

As typical for this type of vulnerability, of course, crypto coin miners were all over it.

It was also used to inject coin hive miners into traffic that is proxied by micro-tick routers, even though

there was some discussion whether or not that actually worked.

But what NetLab 360 figured out is there is another class of attacks that these

routers are being used for, and they discovered 5,000 plus routers affected by these attacks.

There are really two things that these attacks do.

Now, first of all, Microtic has a feature that allows you to redirect traffic being passed through the router to a third party.

And this can be used to eavesdrop on traffic passing through the router.

And this is one configuration change that is being made by some of these attacks.

Secondly, some attacks are enabling the SOX proxy on these routers,

which then can be used to route traffic through the routers, hiding behind the routers.

I've seen this a couple of years ago, even in some more sort of APT-style attacks,

that used router networks like this in order to obfuscate the real origin of the attack.

So what does this mean for you if you are running a micro-tick router?

Or if you're running into a micro-tick router at like a relatives network or such?

...