Lack of patching leaves 300,000 routers at risk
Hundreds of thousands of routers produced by Latvian network hardware firm MikroTik remain vulnerable to at least one of four exploitable vulnerabilities that are at least a year old and are likely being used by attackers as part of their operational infrastructure, researchers say.
A new report from security firm Eclypsium says that of the approximately 2 million MikroTik routers deployed in small-office and home-office (SOHO) settings, 1.88 million — or 94% — have the router’s management interface, Winbox, exposed to the Internet. The open ports are not the default setting, suggesting that either users are willfully undermining their security or the configuration is a sign that the devices have been compromised, says Scott Scheferman, principal cyber strategist at Eclypsium.
These devices are so complex that most home users would not know how to configure those settings and likely would have no reason to do that, he says, adding that as compromised devices, the routers give attackers significant advantages.
“They are powerful from just about every perspective, from a raw capability perspective and a diversity of things you can do from a functionality standpoint — they are massively useful,” Scheferman says. “You can run a ping flood from the device. You can tunnel and proxy. You can configure your DNS maliciously, so the user is redirected to an attacker’s site. The harder question to answer is what can’t you do when you are on these devices.”
The focus on vulnerable MikroTik routers comes after several takedowns have pinpointed attackers’ strategy of using SOHO routers as a way to recover from the disruption of a takedown, according to Eclypsium’s advisory. A year ago, the US Cyber Command disrupted the infrastructure of Trickbot, but the group reconstituted the network using routers that had been compromised using the Trickboot firmware-targeting module, according to Eclypsium.
In September, the Meris botnet — made of up MikroTik routers — leveled large distributed denial-of-service attacks against targets, including Russian search engine Yandex. Researchers from Cloudflare and other companies estimated that Meris — “plague” in Latvian — consisted of around 250,000 compromised MikroTik routers.
Meris has more power than the better-known Mirai botnet, Cloudflare researchers stated in an analysis.
To read the complete article, visit Dark Reading.