The MikroTik Routers
Researchers from Eclypsium have revealed that threat actors have been employing MikroTik devices as command centers for launching specialized attacks for years. The MikroTik routers seem to be a target thanks to the high number of devices that are in use, their high power, and the multiple known vulnerabilities in them.
MikroTik, a company located in Latvia that makes feature-rich SOHO and IoT devices, presently has more than 2 million MikroTik devices in use.
Eclypsium researchers started investigating the weaponization of MikroTik devices in September this year, stepping on previous research on how TrickBot threat actors were utilizing hacked routers as command-and-control (C2) infrastructure.
An interesting fact that Eclypsium analysts discovered is that TrickBot was able to fall back on MikroTik infrastructure after US Cyber Command effectively destroyed TrickBot’s core infrastructure.
MikroTik devices, like many SOHO and IoT devices, are vulnerable out of the box, making them a favorite target for attackers. According to researchers, they commonly include default credentials of admin/empty passwords as well as WAN port settings that are not pre-configured, even in devices designed for business purposes.
According to Eclypsium, many MikroTik devices are never updated since their auto-update option is seldom used. Many devices also remain vulnerable to CVEs going back to 2018 and 2019, according to researchers. A remote code execution (RCE) vulnerability — such as CVE-2019-3977, CVE-2019-3978, CVE-2018-14847, and CVE-2018-7445 — may allow an attacker to gain control of a vulnerable device.
The complicated configuration interface of MikroTik devices is pointed as another factor that allows for mistakes in configurations and enables attackers to find and exploit these devices through the internet.
More than one cyberattack scenario
According to the detailed report released on Thursday, security teams should be on the lookout for such attacks. Configured routers may insert malicious material, tunnel, copy or redirect data in a number of very destructive ways.
For example, a remote worker’s connection may be diverted to a malicious website or an attack can be introduced by using DNS poisoning for the purpose of machine-in-the-middle insertion.
Researchers noted that the tunneling of company traffic to another site, the insertion of malicious material into legitimate traffic, or the collection of sensitive information are all possible outcomes of the attack.
Once Eclypsium started its study, the Meris botnet attack occurred. Russia’s internet company Yandex was the target of a September DDoS HTTP-pipelining attack that exploited a 2018 fault in MikroTik networking hardware. In that incident, more than 56,000 MikroTik servers were engaged.
A total of 20,000 open proxies injecting various crypto-mining scripts into websites were also discovered by Eclypsium. Their study has pointed that these devices are both powerful and in many cases very susceptible, adding that MikroTik devices, in addition to supporting SOHO, are often utilized by local Wi-Fi networks, which also are a common target for threat actors.
A Means of Minimizing The Risk
In terms of the overall number of susceptible devices, China, Brazil, Russia, Italy, and Indonesia rank highest, with the United States in eighth place. Network administrators who are concerned about the safety of their devices may test them by using a freely available tool developed by Eclypsium. The tool can help find MikroTik devices with CVEs that make the device vulnerable, try to log in with a given list of default credentials, and check for signs of compromise of the Meris botnet. Researchers claim that the program is capable of running on SSH, WinBox, and HTTP API protocols, all of which the Meris malware uses.