At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices.
The most affected devices are located in China, Brazil, Russia, Italy, Indonesia, with the U.S. coming in at number eight, cybersecurity firm Eclypsium said in a report shared with The Hacker News.
“These devices are both powerful, [and] often highly vulnerable,” the researchers noted. “This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka ‘C2’), traffic tunneling, and more.”
MikroTik devices are an enticing target not least because there are more than two million of them deployed worldwide, posing a huge attack surface that can be leveraged by threat actors to mount an array of intrusions.
Indeed, earlier this September, reports emerged of a new botnet named Mēris that staged a record-breaking distributed denial-of-service (DDoS) attack against Russian internet company Yandex by using network devices from Mikrotik as an attack vector by exploiting a now-addressed security vulnerability in the operating system (CVE-2018-14847).
This is not the first time MikroTik routers have been weaponized in real world attacks. In 2018, cybersecurity firm Trustwave discovered at least three massive malware campaigns exploiting hundreds of thousands of unpatched MikroTik routers to secretly install cryptocurrency miners on computers connected to them. The same year, China’s Netlab 360 reported that thousands of vulnerable MikroTik routers had been surreptitiously corralled into a botnet by leveraging CVE-2018-14847 to eavesdrop on network traffic.
CVE-2018-14847 is also among the four unaddressed vulnerabilities discovered over the last three years and which could enable full takeover of MikroTik devices –
- CVE-2019-3977 (CVSS score: 7.5) – MikroTik RouterOS insufficient validation of upgrade package’s origin, allowing a reset of all usernames and passwords
- CVE-2019-3978 (CVSS score: 7.5) – MikroTik RouterOS insufficient protections of a critical resource, leading to cache poisoning
- CVE-2018-14847 (CVSS score: 9.1) – MikroTik RouterOS directory traversal vulnerability in the WinBox interface
- CVE-2018-7445 (CVSS score: 9.8) – MikroTik RouterOS SMB buffer overflow vulnerability
In addition, Eclypsium researchers said they found 20,000 exposed MikroTik devices that injected cryptocurrency mining scripts into web pages that users visited.
“The ability for compromised routers to inject malicious content, tunnel, copy, or reroute traffic can be used in a variety of highly damaging ways,” the researchers said. “DNS poisoning could redirect a remote worker’s connection to a malicious website or introduce a machine-the-middle.”
“An attacker could use well-known techniques and tools to potentially capture sensitive information such as stealing MFA credentials from a remote user using SMS over WiFi. As with previous attacks, enterprise traffic could be tunneled to another location or malicious content injected into valid traffic,” the researchers added.
MikroTik routers are far from the only devices to have been co-opted into a botnet. Researchers from Fortinet this week disclosed how the Moobot botnet is leveraging a known remote code execution (RCE) vulnerability in Hikvision video surveillance products (CVE-2021-36260) to grow its network, and use the compromised devices to launch distributed denial-of-service (DDoS) attacks.
In a separate report, the enterprise cybersecurity firm said that the operators of a botnet known as Manga aka Dark Mirai are actively abusing a recently disclosed post-authenticated remote code execution vulnerability (CVE-2021-41653) to hijack TP-Link routers and co-opt the appliances to their network of infected devices.