Detect if your router is affected by TrickBot
TrickBot is a security threat that has been very present in recent years. It is a botnet that is normally distributed through email using Phishing tactics or through other malware that has previously infected the victim. What it does from then on is connect to a server controlled by the attacker and allow it to send malicious payloads to the infected computer.
This threat has affected a wide variety of IoT devices and also to routers. It makes that attacked computer act as a proxy between the device and the attackers’ server. In recent times, attackers have used TrickBot to compromise MikroTik routers.
To access them, they mainly relied on using default credentials. For this reason, it is important that you always change the access data that comes from the factory when you buy a router. They can perform brute force attacks to gain control of devices. But they have also exploited vulnerabilities like CVE-2018-14847.
The problem is that there are hundreds of thousands of MikroTik routers that are still vulnerable. For this reason, Microsoft has launched a tool called routeros-scanner with which administrators can analyze devices of this brand to find out if they are infected with TrickBot or not and be able to take action as soon as possible.
Basically what the script is to know the version of the device and whether or not it is vulnerable to a certain failure, check scheduled tasks, traffic redirection rules, DNS cache poisoning, change in default ports, suspicious files or proxies. This will help to know if that specific team is in danger.
How to protect MikroTik routers
The first thing you should do is make sure you have the latest version of the router. Security researchers recommend having RouterOS versions higher than 6.45.6. Always having updated devices is essential in order to be protected and avoid problems.
In addition, it is also important change Password which comes by default on the router. It is essential that you use a new key, that it is strong and has everything necessary to make it very difficult to find out through the methods used by hackers, such as brute force.
Another tip from security researchers is block port 8291 external access, as well as change default ssh port, which is 22, by a different one. One more recommendation is a VPN for remote access and restrict remote access to the router.
In short, as you have seen, Microsoft has launched a tool to check if a MikroTik router is affected by TrickBot. However, it is important that you follow a series of tips to prevent them from suffering some type of cyber attack.