Daily Archives: April 15, 2018

Hajime Botnet Scanning for Vulnerable MikroTik Routers

Over the last few weeks, security researchers from around the globe have shared concerns about scans being carried out by a Hajime IoT botnet looking to mass-infect unpatched MikroTik devices. According to Bleeping Computer, the attackers were trying to use a vulnerability that affects MikroTik RouterOS firmware 6.38.4 and earlier, and which allows attackers to execute code and take over the device. This vulnerability, called "Chimay Red", was one of the flaws included in the WikiLeaks "Vault 7" leak of alleged CIA hacking tools, and has also been used to compromise MikroTik routers by changing hostnames of vulnerable devices in the past year.

This incident is a reminder of the widespread problem of security vulnerabilities within Internet-connected devices, which makes them an attractive target to hackers looking to recruit them within IoT botnets.

What is the Hajime botnet?

Hajime is an IoT worm that was discovered by security researchers at Rapidity Networks in October 2016. Like Mirai before it, Hajime takes advantage of default login details to brute-force its way into unsecured devices with open Telnet ports. These unsecured IoT devices offer huge spoils for malicious attackers, giving them the potential to harness thousands of devices and turn them into a botnet army and used to launch damaging DDoS attacks. Last year, Kaspersky Lab revealed that the botnet had already built up a compromised network of 300,000 devices.

Botnet herding

So far the Hajime botnet has not been observed launching any high profile attacks, but it remains a concern for security experts due to its sophisticated mechanisms, its flexible design and the fact that its objectives remain unknown. In this recently reported activity, Hajime is being observed while performing its IoT worm activity. It is aggressively scanning specific network ports to find vulnerable MikroTik devices, including trying the Chimay Red exploit. If successful, it will install a new copy of itself on the victim. Bot herders do this to gather an ever-growing “herd” of bots that can be subsequently used to launch malicious activity, including DDoS attacks.

A step towards protection

The sheer volume of unsecured or vulnerable IoT devices in circulation poses a serious challenge for security. After all, any device that has an Internet connection and a processor can be an exploit target. In an ideal world, all devices should be forced to go through some sort of basic configuration check before being connected to the Internet to avoid default vulnerabilities. Many industry figures are arguing for increased regulation of IoT devices, but even if this is brought into effect, it will likely only relate to new devices being manufactured in the future, rather than the plethora of unsecured devices already available and currently acting as ‘sitting ducks’ waiting to be recruited into botnets. The best defence against IoT botnet-driven DDoS attacks is to deploy an in-line, automated solution at the network edge, which can detect and mitigate any unusual network activity in real-time, and eliminate threats from entering a network.

For more information, please contact us.

Let’s stop talking about password strength

Picture from EFF -- CC-BY license
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavior, such as using bcrypt, there is less onus on the user.

But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.