Up to 300,000 routers made by Latvia-based MikroTik are vulnerable to remote attacks that can surreptitiously corner devices in botnets that steal confidential user data and participate in DDoS attacks that paralyze the Internet, the researchers said.
The estimate, made by researchers at the security firm Eclypsium, is based on Internet scans that searched for MikroTik devices using firmware versions known to contain vulnerabilities that were discovered within the last three years. While the manufacturer has released patches, Eclypsium research shows that a significant proportion of users have yet to install them.
“Given the challenges of updating MikroTik, there are a large number of devices with these vulnerabilities from 2018 and 2019,” Eclypsium researchers wrote in a post. “Taken together, this provides attackers with many opportunities to gain full control over very powerful devices, positioning them to be able to target devices both behind the LAN port and at other devices on the Internet.”
Adopted by script kiddies and nation-states alike
The concern is far from theoretical. In early 2018, researchers at security firm Kaspersky said that a powerful state malware called Slingshot, which had gone undetected for six years, initially spread via MikroTik routers. The attacks downloaded malicious files from vulnerable routers by abusing a MikroTik configuration utility known as Winbox, which transferred the device’s file system payloads to a connected computer.
A few months later, researchers at the security company Trustwave discovered two malware campaigns against MikroTik routers after reverse engineering a CIA tool that was leaked into a WikiLeaks series known as Vault7.
Also in 2018, China’s Netlab 360 reported that thousands of MikroTik routers had been dragged into a botnet by malware targeting a vulnerability tracked as CVE-2018-14847.
Eclypsium researchers said that CVE-2018-14847 is one of at least three high-severity vulnerabilities that remains unpatched on the Internet-connected MikroTik devices they tracked. Combined with two other vulnerabilities located in Winbox:CVE-2019-3977 and CVE-2019-3978“Eclypsium found 300,000 vulnerable devices.” Once hackers infect a device, they typically use it to launch more attacks, steal user data, or participate in distributed denial-of-service attacks.
Researchers have published a free software tool that people can use to detect if their MikroTik device is vulnerable or infected. The company also offers other tips for locking devices. As always, the best way to protect a device is to make sure it is running the latest firmware. It is also important to replace the default passwords with strong ones and disable remote administration unless necessary.