As many as 300,000 routers made by Latvia-based MikroTik are vulnerable to remote attacks that can surreptitiously corral the devices into botnets that steal sensitive user data and participate in Internet-crippling DDoS attacks, researchers said.
The estimate, made by researchers at security firm Eclypsium, is based on Internet-wide scans that searched for MikroTik devices using firmware versions known to contain vulnerabilities that were discovered over the past three years. While the manufacturer has released patches, the Eclypsium research shows that a significant proportion of users has yet to install them.
“Given the challenges of updating MikroTik, there are large numbers of devices with these 2018 and 2019 vulnerabilities,” Eclypsium researchers wrote in a post. “Collectively, this gives attackers many opportunities to gain full control over very powerful devices, positioning them to be able to target devices both behind the LAN port as well as target other devices on the Internet.”
Embraced by script kiddies and nation-states alike
The concern is far from theoretical. In early 2018, researchers at security firm Kaspersky said that a powerful nation-state malware called Slingshot, which had gone undetected for six years, initially spread through MikroTik routers. The attacks downloaded malicious files from vulnerable routers by abusing a MikroTik configuration utility known as Winbox, which transferred the payloads from the device file system to a connected computer.
A few months later, researchers at security firm Trustwave discovered two malware campaigns against MikroTik routers after reverse engineering a CIA tool leaked in a WikiLeaks series known as Vault7.
Also in 2018, China’s Netlab 360 reported that thousands of MikroTik routers had been swept into a botnet by malware attacking a vulnerability tracked as CVE-2018-14847.
The Eclypsium researchers said that CVE-2018-14847 is one of at least three high-severity vulnerabilities that remains unpatched in the Internet-connected MikroTik devices they tracked. Combined with two other vulnerabilities located in Winbox—CVE-2019-3977 and CVE-2019-3978—Eclypsium found 300,000 vulnerable devices. Once hackers infect a device, they typically use it to launch further attacks, steal user data, or participate in distributed denial-of-service attacks.
The researchers have released a free software tool that people can use to detect if their MikroTik device is either vulnerable or infected. The company also provides other suggestions for locking down the devices. As always, the best way to secure a device is to ensure it’s running the latest firmware. It’s also important to replace default passwords with strong ones and turn off remote administration unless it’s necessary.