Minimum 300,000 IP addresses linked with MikroTik devices were discovered to be vulnerable to various remotely exploitable security flaws, which the main router and wireless ISP equipment provider has now addressed. According to cybersecurity firm Eclypsium, the most afflicted devices are in China, Brazil, Russia, Italy, and Indonesia, with the United States ranking in the eighth.
As per the researchers, these gadgets are both solid and susceptible. This has made MikroTik devices popular among threat actors, who have used them for anything from DDoS attacks to command-and-control (or “C2”), traffic tunneling, and other purposes.
MikroTik devices are a tempting target, not least because there are more than two million of them in use throughout the world, creating a large attack surface that threat actors may exploit to launch various attacks.
In September, reports surfaced of a new botnet known as Mris that used Mikrotik network devices as an attack vector to stage a record-breaking distributed denial-of-service (DDoS) attack against Russian internet company Yandex by exploiting a now-addressed security flaw in the operating system (CVE-2018-14847).
The following is a list of four vulnerabilities identified in the last three years that potentially allow complete control of MikroTik devices –
CVE-2019-3977 (CVSS score of 7.5) – MikroTik RouterOS insufficient validation of upgrade package’s origin, allowing a reset of all usernames and passwords
CVE-2019-3978 (CVSS score of 7.5) – MikroTik RouterOS insufficient protections of a critical resource, leading to cache poisoning
CVE-2018-14847 (CVSS score of 9.1) – MikroTik RouterOS directory traversal vulnerability in the WinBox interface
CVE-2018-7445 (CVSS score of 9.8) – MikroTik RouterOS SMB buffer overflow vulnerability
Furthermore, Eclypsium researchers claimed to have discovered 20,000 vulnerable MikroTik devices that inserted bitcoin mining scripts into websites accessed by users.
MikroTik routers aren’t the only devices that have been part of a botnet. Fortinet researchers revealed this week how the Moobot botnet is growing its network and using infected machines to perform distributed denial-of-service (DDoS) attacks by exploiting a known remote code execution (RCE) vulnerability in Hikvision video surveillance equipment (CVE-2021-36260).