Security Breach - Compromised accounts

spin · June 10, 2018, 5:42pm

During a breach of CTWUG with bruteforcing the following user accounts were compromised on at least one router. Someone logged into these accounts on at least one router. Please consider these accounts compromised. If you use passwords for anything else please change it ASAP. This is not a complete list as these are the ones I found on routers running wms. I extracted this from central logs.

We are in the process of investigating this incident and will feedback once resolved. So please don’t investigate yourself. We will advise the outcome.

It logged into various routers using admin account (also ctwug account).

Users affected:
@nyvenZA (nyvenza and nyven)
@Fubar (FU3AR)
Bennie
@Hunted (B)
Prestige
@Ogon
@Diabolix (DiabolixB)
@dade
@Graphire
@German
@JellyBean
@tafseer (taf & Hyperlink)
@dizzle
@pilgrim
@PollyG
@Dan
@Jypels
@TFyre (TfyreB)
@WetKit
@roman
@Musha
@Louis
@Ironman
@aspi
Internet (weird username?)
@WireIce
@STIAAN
@Stiaanm
@Rellik
atlas
david (not sure which, @Firestarter @David1 @David)
@Trojan

spin · June 10, 2018, 6:15pm

Couple of proposals to deal with the above:

I can remove these accounts on all routers that have WMS installed. Would need to ensure that we have a backup account (user wms with ssh access and radius).
I can change these accounts on all rotuers that have WMS to a random password (unqiue to that router).
I can remove all accounts where the hacker logged in successfully (only WMS). Only leaving radius / wms user active. The reason is that he probably gained the credentials of any account on a rotuer where he logged in. The wms account is relatively safe as it is ssh key based. I will re-randomise the password for that account anyway.

I would say the best would be to do both 1 and 3. This would still leave non WMS routers as is. Not much I could do about it I think.

To do the above the @NetworkAdmins would need to help me restore access to routers where only radius would then be active. As it would lead to a lot of queries from people as they would lose access to their routers…

I’d like some opinions from people on what to do?

spin · June 10, 2018, 6:37pm

2 posts were merged into an existing topic: Security on CTWUG

rmx · June 10, 2018, 6:35pm

removing all logins from OSPF rbs changing wms password i think will do the trick.
This would be option 1 to avoid further risk . just my thoughts.

Spaffy · June 10, 2018, 6:45pm

What would the point be of hacking into ctwug?

spin · June 10, 2018, 6:53pm

I suspect it was automated to some degree. Just trying all possible accounts.

Ogon · June 10, 2018, 6:54pm

This will mean that people without raduis login will loose write access to their own rbs.

I think people should be given the chance to change their logins.

**

To everyone who has an Ogon login on your routerboard please remove ASAP as well as all other compromised users mentioned above.

**

Ogon · June 10, 2018, 6:56pm

Some of those users login aren’t easy to guess(I know a few) I can understand if the user was ogon ogon.

spin · June 10, 2018, 6:56pm

Well in theory the hacker has their login on that RB as well. People would need to ask @NetworkAdmins to add an account for them again. It’s a big step hence me asking for comments.

spin · June 10, 2018, 6:58pm

Also I really don’t want to get into the mechanics of this. I don’t want to discuss how it happened. But clearly many logins are on many routers. Most people will not be able to track these down and remove them. So this risk will remain with us for some time.

To remove them manually will be slow and time consuming and. knowing 75% of wuggers, will never be done.

Ogon · June 10, 2018, 6:59pm

Don’t think this is the way to go, it is wuggers personnel routerboard.

razor1 · June 10, 2018, 8:42pm

why do u need to hide it from everyone and the person who did it typical as always with the coms

spin · June 10, 2018, 8:44pm

Because there is a process to follow and the commitee needs to review and make a decision etc. Will let you know once the process is done.

Firestarter · June 10, 2018, 9:52pm

@spin, this is more than likely on an RB where my username doesn’t have a password or where the password is the same as the username. Not likely that my password was bruteforce attacked. Feel free to remove this login from any/all RBs.

spin · June 10, 2018, 9:56pm

This hack did extract passwords. Can’t be sure if this is in your case but it definitely logged into users with passwords set.

TFyre · June 11, 2018, 4:41am

Surely a breach of this magnitude shouldve been resolved before telling everyone hey, go mess with these accounts because its already possible

But I find it funny how HACK and BRUTEFORCE are used in the same sentence

My vote is for removing all the compromised accounts and starting over
And then some tech info on what happened ofcourse!!

spin · June 11, 2018, 7:18am

Many ways to do this. I’m sure there are ways to improve but also there is a time issue. I was not getting to it all. I’d rather people know especially if they use same paswords for other stuff.

I will post what I think happened later.

PollyG · June 11, 2018, 9:12am

Hi Spin

I have seen this threat on the Forum and did change all my passwords on
most of my ospf rb’s aswell as individual rb’s.
Thank you for informing us of this breach

PollyG

Stiaanm · July 24, 2018, 7:38am

Maybe a bit of a branch-off to this thread. Bit of a warning for those with RB’s facing the Internet, I am seeing an incredible amount of attempts to get into RB’s via Winbox:

From around 08:00 this morning:

On another site (also from 08:00-ish) I did find a bit of humour in it, these are all Zimbabwe-based IP’s:

spin · July 24, 2018, 5:37pm

You should not allow Winbox access from the internet unless you limit the IPs that can access it to only your trusted IPs.