Getty Images
Researchers said that as many as 300,000 routers manufactured by Latvia-based MikroTik are vulnerable to remote attacks, which may covertly incorporate devices into botnets, steal sensitive user data, and participate in DDoS attacks that disrupt the Internet.
The estimates made by researchers at the security company Eclypsium are based on Internet-wide scans that search for MikroTik devices using firmware versions known to contain vulnerabilities discovered in the past three years. Although the manufacturer has released patches, Eclypsium’s research shows that a large percentage of users have not yet installed them.
“In view of the challenges of updating MikroTik, a large number of devices have these vulnerabilities in 2018 and 2019,” Eclypsium researcher Wrote in the post“In general, this provides many opportunities for attackers to take complete control of very powerful devices, allowing them to target devices behind LAN ports and other devices on the Internet.”
Popular with script kiddies and nation-states
This concern is far from theoretical. In early 2018, researchers from the security company Kaspersky stated that a powerful nation-state malware called Slingshot has been undetected for six years. Initially spread via MikroTik router. The attack used the MikroTik configuration utility called Winbox to download malicious files from vulnerable routers, which transferred the payload from the device file system to the connected computer.
A few months later, researchers at the security company Trustwave discovered Two malware activities Targeting MikroTik routers after reverse engineering a CIA tool The WikiLeaks series is called Vault7.
Also in 2018, China’s Netlab 360 Report Thousands of MikroTik routers have been attacked by malware against a botnet tracked as a vulnerability of CVE-2018-14847.
Eclypsium researchers stated that CVE-2018-14847 is one of at least three high-risk vulnerabilities in MikroTik devices connected to the Internet that they tracked. Combine the other two vulnerabilities in Winbox-CVE-2019-3977 and CVE-2019-3978—Eclypsium discovered 300,000 vulnerable devices. Once hackers infect the device, they usually use it to launch further attacks, steal user data or participate in distributed denial of service attacks.
The researchers posted a Free software tools People can use it to detect whether their MikroTik device is vulnerable or infected. The company also offers other suggestions for locking devices. As always, the best way to protect your device is to make sure it is running the latest firmware. Unless necessary, it is also important to replace the default password with a strong password and turn off remote management.
