Friday, March 29, 2024

Aggressive Scans by Hajime Botnet Targeting Port 8291 With a new Exploit

Hajime Botnet variant made a massive come back with new features and this time it targets port 8291 to check whether the device running vulnerable Mikrotik RouterOS.

Attackers propagating the bot to exploit the vulnerabilities in the RouterOS that allow’s them to execute remote execution code on the device.

The MikroTik RouterOS is based on the Linux kernel and it is mostly used by ISPs and the botnet is exploiting the known vulnerabilities in HTTP, SMB and password brute forcing.

How the Infection Takes place – Port 8291

The latest variant of Hajime Botnet is efficient to launch an aggressive scanning over Port 8291 to detect the publically available devices and to exploit the devices connected with it.

Chimay Red‘ HTTP Exploit code found in the attack modules that could exploit the vulnerability in its HTTP web server process due to improper validation of user-supplied input.

Port 8291

The worm launches a very aggressive SYN scan to port 8291 and if the port 8291 is open it check’s for other common ports next (80,81,82,8080,8081,8082,8089,8181,8880). It uses to check the device version and sends the exploit shellcodes.

Also Read How to protect your Organization From DDOS Attack

Netlab logged more than 861,131 unique scan source IPs (72 Hours). Netlab and Radware witnessed over 10,000 unique IPs hitting port 8291 in a single day.

https://twitter.com/bad_packets/status/978802421928361984

According to Netlab, the top three scan sources are Brazil (585k), Iran (51.8k), Russia (26.4k). Radware and Netlab published technical write-ups.

Suggested mitigations

  • Block unwanted request via 8291.
  • Update MikroTik firmware to v6.41.3 (or at least, above v6.38.5).

IOC

06B4D50254C6C112437A3ED893EF40B4 .i.mipseb
93A1A080FCDE07E512E7485C92861B69 atk.mipseb
fc834c015b357c687477cb9116531de7 atk.mipseb.upx.unpack
Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles