Aggressive Scans by Hajime Botnet Targeting Port 8291

Hajime Botnet variant made a massive come back with new features and this time it targets port 8291 to check whether the device running vulnerable Mikrotik RouterOS.

Attackers propagating the bot to exploit the vulnerabilities in the RouterOS that allow’s them to execute remote execution code on the device.

In the last 12 hours, more then 2k unique sources suddenly started to perform internet wide scan targeting port 8291, most likely MikroTik routers. The interesting thing is the scan almost start right around 0am Beijing time. https://t.co/0IK4TfE9er pic.twitter.com/Dkys1mssKm
— 360 Netlab (@360Netlab) March 25, 2018

The MikroTik RouterOS is based on the Linux kernel and it is mostly used by ISPs and the botnet is exploiting the known vulnerabilities in HTTP, SMB and password brute forcing.

How the Infection Takes place – Port 8291

The latest variant of Hajime Botnet is efficient to launch an aggressive scanning over Port 8291 to detect the publically available devices and to exploit the devices connected with it.

‘Chimay Red‘ HTTP Exploit code found in the attack modules that could exploit the vulnerability in its HTTP web server process due to improper validation of user-supplied input.

The worm launches a very aggressive SYN scan to port 8291 and if the port 8291 is open it check’s for other common ports next (80,81,82,8080,8081,8082,8089,8181,8880). It uses to check the device version and sends the exploit shellcodes.

Also Read How to protect your Organization From DDOS Attack

Netlab logged more than 861,131 unique scan source IPs (72 Hours). Netlab and Radware witnessed over 10,000 unique IPs hitting port 8291 in a single day.

It has come to our attention that a a mass scan for open ports 80/8291(Web/Winbox) is taking place. To be safe, firewall these ports and upgrade RouterOS devices to v6.41.3 (or at least, above v6.38.5)
— MikroTik (@mikrotik_com) March 27, 2018

https://twitter.com/bad_packets/status/978802421928361984

According to Netlab, the top three scan sources are Brazil (585k), Iran (51.8k), Russia (26.4k). Radware and Netlab published technical write-ups.

Suggested mitigations

Block unwanted request via 8291.
Update MikroTik firmware to v6.41.3 (or at least, above v6.38.5).

IOC

06B4D50254C6C112437A3ED893EF40B4 .i.mipseb
93A1A080FCDE07E512E7485C92861B69 atk.mipseb
fc834c015b357c687477cb9116531de7 atk.mipseb.upx.unpack

Aggressive Scans by Hajime Botnet Targeting Port 8291 With a new Exploit

Supply Chain Attack Prevention

Follow Us on Google News

How the Infection Takes place – Port 8291

Suggested mitigations

IOC

Latest articles

Threat Actors Exploiting AES Encryption for Stealthy Payload Protection

33.3 Million Cyber Attacks Targeted Mobile Devices in 2024 as Threats Surge

Routers Under Attack as Scanning Attacks on IoT and Networks Surge to Record Highs

Google Launches Shielded Email to Keep Your Address Hidden from Apps

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Discussion points

More like this

Chinese Hackers Breach Belgium State Security Service as Investigation Continues

Check Point Software to Open First Asia-Pacific R&D Centre in Bengaluru, India

Threat Actors Trojanize Popular Games to Evade Security and Infect Systems

How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities

How to Build and Run a Security Operations Center (SOC Guide) – 2023

Network Penetration Testing Checklist – 2025