If you’ve been following the infosec Twitter community for the last few days, you couldn’t ignore the constant talk about the massive scans currently taking place online, carried out by a Hajime IoT botnet looking to mass-infect unpatched MikroTik devices.
All of the hoopla started on Sunday, March 25, when suspicious scans for port 8291 popped up out of the blue on everyone’s honeypots.
The new Hajime variant has been scanning wide range of tcp ports since 2018-03-26. Now it scans 80, 81, 82, 8080, 8081, 8082, 8089, 8181, 8291 and 8880. We observe these scanning activities at out honeypots.@360Netlab @chudyPB
— Masafumi Negishi (@MasafumiNegishi) March 27, 2018
So the old Hajime botnet is coming back with a new exploit which was published only about 13 days ago ( https://t.co/UEAOTF4DiZ ), it also looks for some old exploits like tr-064 but nothing exciting there. https://t.co/vyIDU7CXpn
— 360 Netlab (@360Netlab) March 25, 2018
The scans only continued in the following days, showing no sign of abating, and attracting attention from security researchers from all over the globe.
The attention was warranted as the scans weren’t something small, and continued at an intensive rate. The first to spot the scans were researchers from Qihoo 360’s Netlab team, who said today this Hajime botnet performed over 860,000 scans in the last three days, albeit they couldn’t tell how many of these scans were also successful infections.
Attackers use eChimay Red exploit against MikroTik devices
The exploit attackers were trying to use was a vulnerability known as “Chimay Red,” a bug that affects MikroTik RouterOS…