MikroTik and Ubiquity routers being Hijacked by Dyre Malware?

[adrotate banner=”4″]

Came across several interesting articles that claim there is a change in the way Dyre aka Upatre malware is spreading. Dyre seems to be getting a lot of press as it is used in browser hijacks to compromise online banking credentials and other sensitive private data. However, most recently – instead of infecting hosts, it appears to be compromising routers as well.  Blogger krebsonsecurity.com writes:

Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers — particularly routers powered by MikroTik and Ubiquiti’s AirOS.

As I first started researching this, I was wondering how they determined the router itself is compromised and not a host that sits on a NAT behind the router. Certainly different devices leave telltale signs visible in an IP packet capture that help point towards the true origin of a packet, so it’s possible that something was discovered in that way. It’s also possible the router isn’t being compromised via the Internet, but rather on the LAN side as it would be much easier for malware to scan the private subnet it sits on and attempt to use well known default credentials to login and take control of a router. While concerning, this LAN attack vector theory relies on the user not properly securing the router and doesn’t indicate a vulnerability in the operating system of either router.

However…I then came across this thread at the Ubiquity forums:

https://community.ubnt.com/t5/Installation-Troubleshooting/Attack-Malware/m-p/1285726/highlight/true#M83358

Apparently the attackers are taking advantage of routers that are in fact open and have storage that can be utilized so that it can serve as a distribution point for the malware and also as a C&C point to initiate attacks. In the thread the vulnerable code version that is mentioned is firmware version XW.v5.5.6. It’s not exactly clear what makes this vulnerable, but from reading the forum it seems likely that the firewall may not be enabled by default and with the credentials unchanged, it becomes a target for Dyre. Somebody with more experience in Ubiquity may be able to comment further as I don’t spend enough time with Ubiquity to know for sure across the various code versions.

Example of Dyre using an ubiquity router to initiate attacks…the ./win9 processes are Dyre

Mem: 58492K used, 3632K free, 0K shrd, 764K buff, 6588K cached
CPU:   0% usr   2% sys   0% nice  92% idle   0% io   0% irq   4% softirq
Load average: 0.03 0.06 0.01
  PID  PPID USER     STAT   VSZ %MEM %CPU COMMAND
15472 15355 ubnt     R     1992   3%   1% top
 2746  2724 ubnt     S    25400  41%   0% ./win9
 2742  2724 ubnt     S    25400  41%   0% ./win9
 2739  2724 ubnt     S    25400  41%   0% ./win9
 2744  2724 ubnt     S    25400  41%   0% ./win9
 2745  2724 ubnt     S    25400  41%   0% ./win9
 2738  2724 ubnt     S    25400  41%   0% ./win9
 2743  2724 ubnt     S    25400  41%   0% ./win9
 2737  2724 ubnt     S    25400  41%   0% ./win9
 3128  2919 ubnt     S    94836 152%   0% ./i
 3112  2919 ubnt     S    94836 152%   0% ./i
 3103  2919 ubnt     S    94836 152%   0% ./i
 3106  2919 ubnt     S    94836 152%   0% ./i
 3102  2919 ubnt     S    94836 152%   0% ./i
 3087  2919 ubnt     S    94836 152%   0% ./i
 3129  2919 ubnt     S    94836 152%   0% ./i
 3137  2919 ubnt     S    94836 152%   0% ./i
 3104  2919 ubnt     S    94836 152%   0% ./i
 3113  2919 ubnt     S    94836 152%   0% ./i
 3135  2919 ubnt     S    94836 152%   0% ./i

MikroTik’s response

There is a thread on this at the MIkroTik forums and MikroTik’s official response below is that this is mostly hype and there isn’t a major threat. Which seems to be true if your router is properly secured with a firewall and you change the default credentials.  MikroTik routers definitely come with the firewall enabled to protect the less tech-savvy or forgetful users.

http://forum.mikrotik.com/viewtopic.php?t=98127

Conclusion

Neither vendor seems to have a vulnerability that exposes serious code flaws. The answer to this is an oldie but a goodie – be sure to properly set the firewall and use complex credentials on Internet facing routers.

References:

http://krebsonsecurity.com/2015/06/crooks-use-hacked-routers-to-aid-cyberheists/#more-31364

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf

MikroTik CCR1072-1G-8S+ Review (Part 1) – hardware, specs and design use cases

[adrotate banner=”4″]

07/25/2015 – Thanks to Normunds @ MikroTik for sending over photos of the production CCR-1072-1G-8S+ which have now been included in the slideshow

[metaslider id=52]

CCR-1072-1G-8S+ available soon @

logo-roc-noc

http://www.roc-noc.com/mikrotik/routerboard/CCR1072-1G-8Splus.html

UPDATE 7/10/2015 – MikroTik officially lists the CCR1072

http://routerboard.com/CCR1072-1G-8Splus

NOTE: The pictures in this review are of a pre-production CCR1072. The CCR1072 that is shipping has some minor differences on the mainboard and the case. MikroTik is sending updated pictures and we will post those as soon as they come in!

StubArea51.net prepares for CCR1072 performance testing in the Flowood, MS lab

Well, the long wait is finally over. According to Tom over at www.roc-noc.com, the CCR1072 will start shipping in the next 2 weeks and we will be adding it to our development lab in Flowood, MS. We were fortunate enough to get a significant amount of time with the new flagship router down in Miami at the 2015 USA MUM thanks to MT. The arrival of the CCR1072 and 80 Gbps of throughput opens up new doors for MikroTik. The CCR1072 positions MikroTik to  break into larger markets and enables competition against industry players like Cisco and Juniper.

This review will be divided into three separate posts (this is Part 1):

  1. Hardware/Specs
  2. Throughput testing/performance
  3. BGP peer load testing.

The first section will focus on the design, hardware specifications and use cases. We will have a CCR1072 in the Stub Area 51 lab very shortly and will be connecting it to our 10 Gbps capable ESXi servers to provide TCP/UDP performance metrics on IPv4 and IPv6. We will also be testing the BGP Peering capability of the CCR1072 by connecting it to our service provider lab and sending multiple full feeds simultaneously to see how it handles the load.

Raw Specs and product description

Let’s take a look at the numbers and product description from MikroTik:

CCR1072-1G-8S+ is an industrial grade super fast router with cutting edge 72 core CPU. If you need many millions of packets per second – Cloud Core Router is your best choice.

  •  72 core networking CPU, 1 GHz clock per core
  •  16GB ECC RAM
  •  State of the art TILE GX architecture
  •  8x SFP+ ports for 10 Gigabit connectivity
  •  Ports directly connected to CPU
  •  Up to 80 Gbps throughput
  •  Over 100 million pps packet throughput
  •  1U rackmount case
  •  Color touchscreen LCD display
  •  Two hot-swap power supplies for redundancy
  •  MicroSD and 2x USB
  •  Two M.2 slots accept 800mm Key-M x4 PCIe 2.0 modules

Under the hood 

With the air channel installed for the quad fan assembly

IMAG0142

With the air channel removed and the looking at the CPU heat sink

IMAG0146

Power redundancy

One trend that I hope MikroTik continues across the rack mount product line is the option of dual power supplies like on the CCR1009. This has been a long awaited feature on MikroTik routers and it helps to position MikroTik into segments it has struggled to gain a foothold on like enterprise and data center networking.

IMAG0147

IMAG0140

72 Cores for 80Gbps+ worth of Interwebs!

A look inside the heart of the beast at the 72 Core Tilera gx8072 processor.

IMAG0143

Mikrotik’s published speed numbers for the CCR1072 are 80 Gbps, but if you read the Tilera specs, it is capable of 100 Gbps of throughput. The 80 Gbps rating appears to come from the 8 x 10 Gig interfaces connected to the mPIPE. It would be interesting to see if any more 10 gig interfaces could be added via the PCIe slots.

Source: http://www.tilera.com/products/?ezchip=585&spage=618

Use Cases

  • Service Provider – A number of ideas come to mind for ISPs – This could be used in the core / distribution with BGP/OSPF/MPLS, although it may not be the most efficient router to use to terminate public BGP until the router can process the tables more quickly. This would also make a great PE for a larger MPLS network that needs more resources on the PE. We will be testing the CCR1072 with multiple full feeds to see how well it handles them.
  • Data Center – This could easily be the Layer 3 core of even a medium size data center and certainly those renting a partial rack of COLO space.  InterVLAN routing at 80 Gbps easily exceeds the needs of all but the big data operators. These could also be used for throughput to IP based storage like NFS or iSCSI. There is a trend in Data Center design towards moving dynamic routing down to the end host and the 1072 could be positioned as a TOR (Top of Rack) or EOR (End of Row) L3 routing point.
  • High throughput L4-L7 Firewall – When used as a firewall deployed at Layer 2 or 3, this router can move a large amount of data through its stateful firewall. Considering the Cisco 5585x starts at 20 gig of throughput and is typically approaching $100,000 to deploy, this could be a game changer in the firewall world at just under $3K per box.
  • High Performance IPv4 / IPv6 Proxy / Web Cache – The SD slot opens up some great possibilities to build a high performance web proxy with caching.  Throw in some Layer7 rules and you have a very economical IPv4 / IPv6 dual stack capable proxy capable of pushing traffic way beyond the capacity of most Internet pipes.
  • Enterprise – When coupled with the right 10 gig switch, the CCR1072 is well suited to run an Enterprise campus and handle converged Data, Voice and Video.  The 1072 is ideal for a core or distribution layer in the Enterprise.

Design Example – Data Center CCR1072 implementation

This is a design adapted from an initial Data Center buildout we labbed and presented at the US 2014 MUM on achieving HA and high throughput with a CCR 1036-8G-2S+ as the Layer 3 core in a Data Center. We have taken and adapted many of the design principles of that network and updated the design with the CCR1072.

See presentation slide here in PDF format: Mikrotik-Data-Center-MUM-2014_KevinMyers-4-by-3

Video is below:

The original design was built using CCR1036-8G-2S+ and used 20 Gig LACP channels to achieve 40 Gbps of aggregate throughput using ECMP with OSPF/BGP. Now that the CCR1072 has been released, we can increase the aggregate throughput to 160 Gbps between two routers and 320Gbps using four routers.

CCR1072-DC

Coming next – MikroTik CCR1072-1G-8S+ Review (Part 2 ) BGP Performance testing using multiple peers with full BGP tables.