As many as 300,000 routers owned by Latvia-based MikroTik are vulnerable to remote attacks that can covertly trap the devices in botnets that steal sensitive user data and participate in internet-crippling DDoS attacks, researchers said.
The estimate by researchers at security firm Eclypsium is based on internet-wide scans looking for MikroTik devices using firmware versions known to contain vulnerabilities discovered over the past three years. While the manufacturer has released patches, the Eclypsium investigation shows that a significant portion of users have yet to install them.
“Given the challenges of updating MikroTik, there are a large number of devices with these vulnerabilities from 2018 and 2019,” the Eclypsium researchers said wrote in a post. “Overall, this provides attackers with many opportunities to take full control of very powerful devices, enabling them to attack devices behind the LAN port as well as other devices on the internet.”
Embraced by script kiddies and nation states alike
The concern is anything but theoretical. In early 2018, researchers at security firm Kaspersky said a powerful nation-state malware called Slingshot, which went undetected for six years, initially spread through MikroTik routers. The attacks downloaded malicious files from vulnerable routers by abusing a MikroTik configuration utility called Winbox, which dumped the payload from the device’s file system to a connected computer.
A few months later, researchers from the security company Trustwave discovered two malware campaigns against MikroTik routers after reverse engineering a CIA tool leaked in a WikiLeaks series called Vault7.
Also in 2018, China’s Netlab 360 reported that thousands of MikroTik routers were being swept into a botnet by malware targeting a vulnerability tracked as CVE-2018-14847.
The Eclypsium researchers said that CVE-2018-14847 is one of at least three high-severity vulnerabilities left unpatched in the internet-connected MikroTik devices they track. Combined with two other vulnerabilities in Winbox—CVE-2019-3977 and CVE-2019-3978—Eclypsium found 300,000 vulnerable devices. Once hackers have infected a device, they typically use it to launch further attacks, steal user data, or participate in distributed denial-of-service attacks.
The researchers have published a free software tool which people can use to determine if their MikroTik device is either vulnerable or infected. The company also offers other suggestions to lock the devices. As always, the best way to secure a device is to make sure it’s running the latest firmware. It’s also important to replace default passwords with strong ones and disable remote administration unless necessary.