Hajime Botnet Scanning for Vulnerable MikroTik Routers

Over the last few weeks, security researchers from around the globe have shared concerns about scans being carried out by a Hajime IoT botnet looking to mass-infect unpatched MikroTik devices. According to Bleeping Computer, the attackers were trying to use a vulnerability that affects MikroTik RouterOS firmware 6.38.4 and earlier, and which allows attackers to execute code and take over the device. This vulnerability, called “Chimay Red”, was one of the flaws included in the WikiLeaks “Vault 7” leak of alleged CIA hacking tools, and has also been used to compromise MikroTik routers by changing hostnames of vulnerable devices in the past year.

This incident is a reminder of the widespread problem of security vulnerabilities within Internet-connected devices, which makes them an attractive target to hackers looking to recruit them within IoT botnets.

What is the Hajime botnet?

Hajime is an IoT worm that was discovered by security researchers at Rapidity Networks in October 2016. Like Mirai before it, Hajime takes advantage of default login details to brute-force its way into unsecured devices with open Telnet ports. These unsecured IoT devices offer huge spoils for malicious attackers, giving them the potential to harness thousands of devices and turn them into a botnet army and used to launch damaging DDoS attacks. Last year, Kaspersky Lab revealed that the botnet had already built up a compromised network of 300,000 devices.

Botnet herding

So far the Hajime botnet has not been observed launching any high profile attacks, but it remains a concern for security experts due to its sophisticated mechanisms, its flexible design and the fact that its objectives remain unknown. In this recently reported activity, Hajime is being observed while performing its IoT worm activity. It is aggressively scanning specific network ports to find vulnerable MikroTik devices, including trying the Chimay Red exploit. If successful, it will install a new copy of itself on the victim. Bot herders do this to gather an ever-growing “herd” of bots that can be subsequently used to launch malicious activity, including DDoS attacks.

A step towards protection

The sheer volume of unsecured or vulnerable IoT devices in circulation poses a serious challenge for security. After all, any device that has an Internet connection and a processor can be an exploit target. In an ideal world, all devices should be forced to go through some sort of basic configuration check before being connected to the Internet to avoid default vulnerabilities. Many industry figures are arguing for increased regulation of IoT devices, but even if this is brought into effect, it will likely only relate to new devices being manufactured in the future, rather than the plethora of unsecured devices already available and currently acting as ‘sitting ducks’ waiting to be recruited into botnets. The best defence against IoT botnet-driven DDoS attacks is to deploy an in-line, automated solution at the network edge, which can detect and mitigate any unusual network activity in real-time, and eliminate threats from entering a network.

For more information, please contact us.