<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div><div class="">Step 1 would be to check the iACLs and Exploitable Port Filters on your network. 2017 illustrated that too many ISP, Telcos, Mobile Operators, and Cloud providers allow external IP addresses telnet/ssh into the network’s infrastructure. </div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 13, 2018, at 7:09 AM, Robert MARTIN-LEGENE <<a href="mailto:robert@pch.net" class="">robert@pch.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
  

    <meta http-equiv="content-type" content="text/html; charset=windows-1252" class="">
  
  <div bgcolor="#FFFFFF" text="#000000" class=""><p class="">Esto debe afectuar a LAC tambien, ya que muchos usan MikroTik.</p><p class="">This should affect the LAC region too, since so many use
      MikroTik.<br class="">
    </p>
    <div class="moz-forward-container"><br class="">
      -------- Forwarded Message --------
      <table class="moz-email-headers-table" border="0" cellpadding="0" cellspacing="0">
        <tbody class="">
          <tr class="">
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE" class="">Subject:
            </th>
            <td class="">[afnog] Slingshot APT: Malware spread via routers</td>
          </tr>
          <tr class="">
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE" class="">Date: </th>
            <td class="">Tue, 13 Mar 2018 13:48:51 +0400</td>
          </tr>
          <tr class="">
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE" class="">From: </th>
            <td class="">Daniel Shaw <a class="moz-txt-link-rfc2396E" href="mailto:daniel@afrinic.net"><daniel@afrinic.net></a></td>
          </tr>
          <tr class="">
            <th align="RIGHT" nowrap="nowrap" valign="BASELINE" class="">To: </th>
            <td class="">afnog <a class="moz-txt-link-rfc2396E" href="mailto:afnog@afnog.org"><afnog@afnog.org></a></td>
          </tr>
        </tbody>
      </table>
      <br class="">
      <br class="">
      <pre class="">For anyone that uses MikroTik, now is a good time to make sure your firmware is updated and scan any network admins' windows workstations.

<a class="moz-txt-link-freetext" href="https://www.kaspersky.com/blog/web-sas-2018-apt-announcement-2/21514/">https://www.kaspersky.com/blog/web-sas-2018-apt-announcement-2/21514/</a>

<a class="moz-txt-link-freetext" href="https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/">https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/</a>

<a class="moz-txt-link-freetext" href="https://www.engadget.com/2018/03/11/sophisticated-malware-attacks-through-routers/?sr_source=Facebook">https://www.engadget.com/2018/03/11/sophisticated-malware-attacks-through-routers/?sr_source=Facebook</a>

<a class="moz-txt-link-freetext" href="https://securelist.com/apt-slingshot/84312/">https://securelist.com/apt-slingshot/84312/</a>

It doesn't seem to be that widely detected so far, but what makes this one interesting is how long it's remained undetected. And what is perhaps of interest to this list is that is seems to target mostly Africa (and the Middle East).

Regards,
Daniel




_______________________________________________
afnog mailing list
<a class="moz-txt-link-freetext" href="https://www.afnog.org/mailman/listinfo/afnog">https://www.afnog.org/mailman/listinfo/afnog</a>
</pre>
    </div>
  </div>

_______________________________________________<br class="">LACNOG mailing list<br class=""><a href="mailto:LACNOG@lacnic.net" class="">LACNOG@lacnic.net</a><br class="">https://mail.lacnic.net/mailman/listinfo/lacnog<br class="">Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog<br class=""></div></blockquote></div><br class=""></body></html>