Over 300,000 Mikro Tik devices were discovered to be susceptible to multiple remotely exploitable security vulnerabilities that have since been patched by the organization.
The devices vulnerable to the attack must have RouterOS version 6.45.6 or older and their WinBox protocol exposed to the Internet.
Mikro Tik devices have become a favorite among malicious threat actors since the devices are considered both powerful and highly vulnerable. These devices have been used by these threat actors for almost everything from distributed denial of service (DDoS) attacks, command-and-control (C2), traffic tunneling, etc.
MikroTik devices are a tempting target because there are more than two million of them deployed worldwide, posing a huge attack surface that can be leveraged by malicious threat actors to organize a range of attacks.
How it Works
Researchers have produced a list of four vulnerabilities discovered over the last three years which enable full takeover of Mikro Tik devices and are still these vulnerabilities are:
In addition to these vulnerabilities, it was also discovered that 20,000 Mikro Tik devices injected cryptocurrency mining scripts into web pages visited by users.
The compromised routers have the ability to inject malicious content, tunnel, copy, or reroute traffic which can all be used in a variety of highly destructive ways. DNS poisoning could redirect a remote worker”s connection to a malicious website or introduce a machine-in-the-middle.
An attacker could also use well-known techniques and tools to potentially capture sensitive information such as stealing MFA credentials from a remote user using SMS over WiFi. As with previous attacks, enterprise traffic could be tunneled to another location or malicious content injected into valid traffic.
Upgrade the device OS version to v6.48.6 or v6.49.2
Use strong passwords,
Avoid remote access, but if this is necessary, do so through a virtual private network (VPN) service and inspect your RouterOS configuration for unknown settings.
Configurations to look out for and remove:
For more information, kindly visit the following URL:
The Guyana National CIRT advises users and administrators review this alert and apply it where necessary.
PDF Download: MikroTik Devices Found Vulnerable to Remote Hacking Bugs.pdf