2022-03-17
Microsoft Releases Scanner to Detect TrickBot-Infected Devices
In a blog post, the Microsoft Defender for IoT research team shares its analysis of how MikroTik devices are used in TrickBot’s command and control framework. Microsoft has published a tool that can be used to detect MikroTik Internet-of-Things (IoT) devices that are infected with TrickBot.
Editor's Note
Great work by Microsoft. But a bit sad that this didn't come from MikroTik. Like many similar devices, MikroTik routers had their share of vulnerabilities (or just simple misconfigurations) in the past. But vendors need to step up and provide users with tools to avoid and detect configuration errors and compromise. This could start with a simple standardized API to request firmware versions for easier vulnerability scanning (and an API to find the most recent version easily). Currently, scripts to accomplish this often have to scrape data from ever changing webpages. (Prove me wrong and let me know of vendors doing this well.)

Johannes Ullrich
It still blows my mind when looking at all the cool cyber research Microsoft is publishing, to include free tools for prevention and detection. If you have any MikroTik devices you need to read this. Essentially the TrickBot malware is using the routers as a proxy on a non-standard port to access their C2 servers. Then adds a persistence layer which obfuscates malicious IPs to avoid many detection systems. Make sure that you have changed default passwords on your MikroTik devices, use good passphrases – ideally checked against data breaches and keep the firmware updated. Only allow management from authorized systems making sure you restrict access to port 8291 and 22. Grab the forensic tool and cross-check your devices for any areas of concern.

Lee Neely
Read more in
Microsoft: Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
ZDNet: Microsoft: Here's how this notorious botnet used hacked routers for stealthy communication
Ars Technica: Trickbot is using MikroTik routers to ply its trade. Now we know why
Bleeping Computer: Microsoft creates tool to scan MikroTik routers for TrickBot infections
The Register: Has Trickbot gang hijacked your router? This scanner may have an answer