Around 300K MikroTik devices are vulnerable to remote botnet attacks

Critical vulnerabilities that can be exploited by cryptomining malware found in routers

Researchers found at least č0 000 exposed devices that injected cryptocurrency mining scripts into web pages that users visited

MikroTik routers were found possibly exploitable due to a security bug. The flaw can be used and lead to DDoS attacks and malware infiltrations.^[1] There are 300 000 IP addresses related to devices that are found vulnerable to various remotely exploitable security flaws.^[2]

Bugs got patched since the discovery, but this is the popular supplier of routers and other wireless ISP devices, so people should make sure to follow manufacturers' instructions. Many pieces still might be vulnerable to these three critical vulnerabilities. The exploitation of the remote code execution flaws can lead to complete device takeover, and this is still a highly possible problem.

MikroTik is a Latvian company that has sold over 2 000 000 devices globally. The most affected devices are located in China, Brazil, Italy. Russian, Indonesia. Unfortunately, the popularity and powerful features of these devices also made the products attractive to attackers and criminals. The researchers^[3] have noted:

This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka 'C2'), traffic tunneling, and more.

Deployment worldwide makes devices a great target

The amount of existing devices and the possible leverage is an attractive opportunity for cybercriminals, so it poses a huge attack risk. Threat actors try to use these opportunities to access systems and deploy their programs or malware. Earlier this year,^[4] botnets were released using the security vulnerability in the operating system.

The Meris botnet stated the denial-of-service attack on Yandex by using the particular vulnerability in MikroTik as the attack vector. The attackers targeted Russian internet company and exploited critical security flaws in devices from 2018 and 2019 that haven't got patched properly.

The list of vulnerabilities discovered now:

• CVE-2019-3977 – critical score of 7.5. The router OS insufficient validation allows a reset of all usernames and passwords.
• CVE-2019-3978 – CVS score of 7.5. Protection of the critical resource leads to poisoning of the cache.
• CVE-2018-7445 – CVS score- 9.8. SMB buffer overflow flaw.
• CVE-2018-74847 – CVS score – 9.1. Directory traversal vulnerability in the WinBox interface.

Possible usage of these flaws

Researchers found at least 20 000 machines exposed due to these flaws that have injected cryptocurrency mining malware scripts into websites that users visited. The functionality of compromising routers for malware code injection and tunneling got proven.

The ability for compromised routers to inject malicious content, tunnel, copy, or reroute traffic can be used in a variety of highly damaging ways.

Such DNS poisoning can lead to a remote connection to a malicious website or introduce workers to the machine in the middle. There are many tools and techniques that attackers can use at this point and achieve their goals. Sensitive information can get captured, and enterprise traffic can get tunneled to another location or even malicious content injected into the tunnel.

These MikroTik devices are not the only ones vulnerable and exploitable, so devices need to get updates and patches in time. Machines running Router OS version 6.45.6 or older could be exploited to at least one of those listed security vulnerabilities.^[5]

Unfortunately, previous incidents and warnings, security updates are not helping to resolve these issues with security, so many routers are not updated to the latest software and can still get exploited for DDoS and other attacks. Keeping the device upgraded, using strong passwords, avoiding remote access, being suspicious about networks and programs could help.