At least 300,000 IP addresses associated with MikroTik devices were discovered to be vulnerable to various remotely exploitable security flaws, which the prominent router and wireless ISP equipment supplier has now addressed.
China, Brazil, Russia, Italy, and Indonesia had the most afflicted devices, with the United States coming in eighth, according to cybersecurity firm Eclypsium.
Hackers have commandeered MikroTik devices for anything from DDoS attacks to command-and-control (also known as C2), traffic tunnelling, and more.
MikroTik devices are a tempting target, not least because there are more than two million of them in use around the world, creating a large attack surface that threat actors can utilise to launch a variety of assaults.
Mris, a new botnet that staged a record-breaking distributed denial-of-service (DDoS) attack against Russian internet company Yandex by using Mikrotik network devices as an attack vector by exploiting a now-addressed security vulnerability in the operating system, was reported earlier this September.
In 2018, the cybersecurity firm Trustwave found at least three major malware operations that installed cryptocurrency miners on machines connected to unpatched MikroTik routers. Thousands of vulnerable MikroTik routers were secretly corralled into a botnet to spy on network traffic, according to China’s Netlab 360.
Eclypsium researchers claimed to have discovered 20,000 vulnerable MikroTik devices that injected cryptocurrency mining scripts into web pages accessed by users.
“Compromised routers’ capacity to insert malicious information, tunnel, copy, or reroute traffic can be employed in a variety of highly harmful ways,” the researchers wrote. “DNS poisoning might lead to a machine-in-the-middle attack or redirect a remote worker’s connection to a malicious website.”
An attacker might collect sensitive information by employing well-known tactics and tools, such as SMS over WiFi to steal MFA credentials from a distant user. Enterprise traffic might be tunnelled to another location, or malicious content could be inserted into legitimate traffic, as in past assaults, the researchers said.
Fortinet researchers revealed this week how the Moobot botnet is growing its network and using infected devices to perform distributed denial-of-service (DDoS) attacks by exploiting a known remote code execution (RCE) vulnerability in Hikvision video surveillance equipment.
The operators of a botnet known as Manga aka Dark Mirai are abusing a post-authenticated remote code execution vulnerability to hijack TP-Link routers and co-opt them into their network of infected devices, according to a separate report from the enterprise cybersecurity firm.
The Latvia-based MikroTik said that there are no new vulnerabilities in RouterOS, while stressing that keeping the operating system up to date is an essential step to avoid all kinds of vulnerabilities, The Hacker News reported.
“Closing the old vulnerability does not immediately protect the affected routers. We don’t have an illegal backdoor to change the user’s password and check their firewall or configuration. These steps must be done by the users themselves.”