Infected Mikrotik Device - chmhlpr.dll

Hozzászólás megjelenítési lehetőségek

A választott hozzászólás megjelenítési mód a „Beállítás” gombbal rögzíthető.

Mikrotik´s official forum declares that this exploit only works until RouterOS v.6.38.4, however this particular victim was running version 6.38.5 of the firmware, making it unclear whether this version is still vulnerable or if attackers used a different one. We contacted Mikrotik and reported this attack procedure. According to Mikrotik, latest versions of WinBox no longer download the ipv4.dll file from the router, closing the attack vector.

Downloader related to Slingshot.
That makes us believe that Slingshot is able to target victims by directly infecting Mikrotik routers in
order to abuse this mechanism used by WinBox. We do not know how these routers were compromised, however Wikileaks ́ Vault7 describes the use of the ChimayRed exploit to compromise such devices. The exploit is now available on GitHub.
Mikrotik ́s official forum declares that this exploit only works until RouterOS v.6.38.4, however this
particular victim was running version 6.38.5 of the firmware, making it unclear whether this version
is still vulnerable or if attackers used a different one. We contacted Mikrotik and reported this attack
procedure. According to Mikrotik, latest versions of WinBox no longer download the ipv4.dll file
from the router, closing the attack vector.

https://mikrotik.com/download/changelogs/ - szóval ez lett volna itt egy éve

Release 6.38.5 2017-03-09

What's new in 6.38.5 (2017-Mar-09 11:32):

!) www - fixed http server vulnerability;