At least 300,000 IP addresses linked with MikroTik devices were found to be vulnerable to a variety of remotely exploitable security issues, which the popular router and wireless ISP equipment supplier has since fixed.
According to cybersecurity firm Eclypsium's data released by The Hacker News, China, Brazil, Russia, Italy, and Indonesia had the most infected devices, with the United States ranking in ninth.
"These technologies are both robust and often incredibly susceptible," the researchers said. " As a result, threat actors have taken control of MikroTik devices for a variety of purposes, including DDoS attacks, command-and-control (also known as "C2"), traffic tunneling, and more."
MikroTik devices are an enticing target, not least because there are more than two million of them in use worldwide, providing a vast attack surface for threat actors to launch a range of attacks.
Indeed, reports surfaced earlier this September of a new botnet known as MRIs that exploited a now-addressed security vulnerability in the operating system to stage a record-breaking distributed denial-of-service (DDoS) attack on Russian internet company Yandex by using MikroTik network devices as an attack vector (CVE-2018-14847).
It's not the first time MikroTik routers have been utilized in a real-world attack. Trustwave, a cybersecurity firm, discovered at least three significant malware operations in 2018 that installed cryptocurrency miners on workstations connected to MikroTik routers that were not patched. According to China's Netlab 360, thousands of susceptible MikroTik routers were stealthily corralled into a botnet by leveraging CVE-2018-14847 to snoop on network traffic.
MikroTik devices that are vulnerable are distributed across the globe.
CVE-2018-14847 is one of four unpatched vulnerabilities identified in the last three years that potentially allow complete control of MikroTik devices. CVE-2019-3977 CVE-2019-3977 CVE-2019-3977 CVE-2019 (CVSS score: 7.5) - Inadequate validation of the upgrade package's origin in MikroTik RouterOS, allowing all usernames and passwords to be reset.
CVE-2019-3978 is a vulnerability that affects computers (CVSS score: 7.5) - Inadequate safeguards of a critical resource in MikroTik RouterOS, resulting in cache poisoning
CVE-2018-14847 is a vulnerability that affects computers (CVSS score: 9.1) - In the MikroTik RouterOS WinBox interface, there is a directory traversal vulnerability.
CVE-2018-7445 is a vulnerability that affects computers (CVSS score: 9.8) - SMB buffer overflow vulnerability in MikroTik RouterOS.
The most popular crypto mining script was identified on unprotected MikroTik devices.
As in previous attacks, business traffic may be tunneled to another location, or malicious content might be introduced into legitimate traffic.
The only devices that have been part of a botnet are MikroTik routers. Fortinet researchers reported this week how the Moobot botnet is expanding its network and leveraging a known remote code execution (RCE) vulnerability in Hikvision video surveillance equipment to launch distributed denial-of-service (DDoS) attacks using infected devices (CVE-2021-36260).
Manga aka Dark Mirai botnet operators are actively exploiting a recently reported post-authenticated remote code execution vulnerability (CVE-2021-41653) to steal TP-Link routers and co-opt them into their network of infected devices, according to a new report.
For years, Airzero Sec's Cyber Security Consulting experts have worked on projects for some of the world's most well-known companies. Use that information as needed, whether it's to assist you in getting there or to make technical inspections. If you have any queries about this topic, please contact us.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/