Friday, February 14, 2025
HomeSecurity NewsAggressive Scans by Hajime Botnet Targeting Port 8291 With a new Exploit

Aggressive Scans by Hajime Botnet Targeting Port 8291 With a new Exploit

Published on

SIEM as a Service

Follow Us on Google News

Hajime Botnet variant made a massive come back with new features and this time it targets port 8291 to check whether the device running vulnerable Mikrotik RouterOS.

Attackers propagating the bot to exploit the vulnerabilities in the RouterOS that allow’s them to execute remote execution code on the device.

The MikroTik RouterOS is based on the Linux kernel and it is mostly used by ISPs and the botnet is exploiting the known vulnerabilities in HTTP, SMB and password brute forcing.

How the Infection Takes place – Port 8291

The latest variant of Hajime Botnet is efficient to launch an aggressive scanning over Port 8291 to detect the publically available devices and to exploit the devices connected with it.

Chimay Red‘ HTTP Exploit code found in the attack modules that could exploit the vulnerability in its HTTP web server process due to improper validation of user-supplied input.

Port 8291

The worm launches a very aggressive SYN scan to port 8291 and if the port 8291 is open it check’s for other common ports next (80,81,82,8080,8081,8082,8089,8181,8880). It uses to check the device version and sends the exploit shellcodes.

Also Read How to protect your Organization From DDOS Attack

Netlab logged more than 861,131 unique scan source IPs (72 Hours). Netlab and Radware witnessed over 10,000 unique IPs hitting port 8291 in a single day.

https://twitter.com/bad_packets/status/978802421928361984

According to Netlab, the top three scan sources are Brazil (585k), Iran (51.8k), Russia (26.4k). Radware and Netlab published technical write-ups.

Suggested mitigations

  • Block unwanted request via 8291.
  • Update MikroTik firmware to v6.41.3 (or at least, above v6.38.5).

IOC

06B4D50254C6C112437A3ED893EF40B4 .i.mipseb
93A1A080FCDE07E512E7485C92861B69 atk.mipseb
fc834c015b357c687477cb9116531de7 atk.mipseb.upx.unpack
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

WinZip Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A newly discovered vulnerability in WinZip, a popular file compression and archiving utility, has...

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New FUD Malware Targets MacOS, Evading Antivirus and Security Tools

A new strain of Fully Undetectable (FUD) macOS malware, dubbed "Tiny FUD," has emerged,...

Google Blocks 2.28 Million Malicious Apps from Play Store in Security Crackdown

In a continued commitment to enhancing user safety and trust, Google has outlined significant...

Hackers Exploiting DNS Poisoning to Compromise Active Directory Environments

A groundbreaking technique for Kerberos relaying over HTTP, leveraging multicast poisoning, has been recently...