At the end of last month, the infosec Twitter community was aflame with talk about the return of the Hajime IoT botnet, seeking out unpatched MikroTik devices to commandeer.
Suspicious scans for port 8291 first alerted security researchers to its return. On March 28th, numerous security professionals tweeted about the likely return of Hajime, including 360 Netlab: “So the old Hajime botnet is coming back with a new exploit which was published only about 13 days ago (https://www.exploit-db.com/exploits/44284/ ), it also looks for some old exploits like tr-064 but nothing exciting there.”
The scans increased over subsequent days, and security researchers worldwide began to follow their progress. The 360 Netlab team from Qihoo said that the Hajime botnet had performed over 860,000 scans across three days at the end of March, although it was unable to tell how many of these resulted in successful takeovers.
The vulnerability that attackers were trying to exploit is known as “Chimay Red”, a bug that affects MikroTik RouterOS firmware 6.38.4 and earlier versions, giving attackers the opportunity to execute code and take over the infected device with the Hajime bot, a type of malware that is known for building huge botnets. The last time that the Hajime bot struck, it reached over 300,000 devices. At the time, Hajime wasn’t used to perform any kind of malicious action, such as DDoS attacks. However, researchers then and now worry that a rogue APT may take over the botnet’s operations from its original owner.
The word Hajime comes from the Japanese word for “beginning” as the malware specifically aimed to compromise the very same devices that Mirai had infected. Mirai is the Japanese word for “future”. The connection to Mirai is significant as Hajime first came to public attention in the middle of several DDoS attacks performed by Mirai. Similarly to Mirai, the Hajime botnet spreads via unsecured devices with open Telnet ports that use default passwords. Hajime actually uses the exact same username and password combinations that Mirai is programmed to use, in addition to two more. However, Hajime is stealthier and more advanced than Mirai, and is built on a peer-to-peer network rather than using hardcoded addresses for its C&C server as Mirai does.
Rapidity Networks was the first security firm to spot Hajime in the wild. Rapidity believed that the Hajime worm was “the work of a white hat hacker attempting to wrestle control of IoT devices from Mirai and other malicious threats”.
On March 27th, Mikro Tik advised its users via Twitter that “a mass scan for open ports 80/8291(Web/Winbox) is taking place”. MikroTik cautioned users, “To be safe, firewall these ports and upgrade RouterOS devices to v6.41.3 (or at least, above v6.38.5).”