MikroTik Routers: A Target for Threat Actors
MikoTik Devices Are Both Vulnerable and Complex, Being a Popular Target Among Hackers.
Researchers have analyzed the MikroTik SOHO and IoT devices that are characterized by a vulnerable state which makes them both an easy target for malicious actors and, at the same time, complicated for organizations to manage.
MikroTik devices present an enticing set of traits from the perspective of an attacker. First of all, they are plentiful with more than 2,000,000 devices deployed worldwide, and also particularly powerful and feature-rich devices. In addition to serving SOHO environments, MikroTik routers and wireless systems are regularly used by local ISPs. The same horsepower that can make MikroTik enticing to an ISP, can also be enticing to an attacker.
MikroTik Routers Are Targeted by Hackers: More Details
The research team from Eclypsium started their analysis on MikroTik routers at the beginning of September this year. Based on previous analysis on how the cybercriminals behind TrickBot managed to use compromised routers as C2 infrastructure, the experts from Eclypsium published a report where they presented an analysis of why MicrokTik devices are so popular among hackers.
One of the reasons highlighted by them would be that these come with default admin credentials and even those used in enterprise environments lack default WAN port settings. The researchers also underlined the fact that the devices from MicroTik frequently omit important firmware patches and this happens because their option of auto-upgrade is not often enabled. This leaves the devices outdated.
These facts led to vulnerabilities like CVE-2019-3977, CVE-2019-3978, CVE-2018-14847, and CVE-2018-7445 remaining unpatched on several devices. One of these flaws was used in the Yandex cyberattack, a DDOS attack employed by Meris botnet. The exploitation of these bugs can result in pre-authenticated remote code execution, not to mention that the device could be completely taken over by a malicious threat actor.
Another issue would be with the configuration interface owned by MikroTik devices which is complex and this makes it hard to set up facilitating potential human error.
Attack Scenarios Highlighted by Researchers
Besides the Trickbot attack that happened last year, a DDoS (distributed-denial-of-service) attack took place in September 2021 when the Meris Botnet running on Mikrotik routers attacked Yandex, a Russian multinational corporation.
The capabilities demonstrated in these attacks should be a red flag for enterprise security teams. The ability for compromised routers to inject malicious content, tunnel, copy, or reroute traffic can be used in a variety of highly damaging ways. DNS poisoning could redirect a remote worker’s connection to a malicious website or introduce a machine-the-middle. The router could scan the internal network behind the router. An attacker could use well-known techniques and tools to potentially capture sensitive information such as stealing MFA credentials from a remote user using SMS over WiFi. As with previous attacks, enterprise traffic could be tunneled to another location or malicious content injected into valid traffic.
The experts also underlined that the most vulnerable devices could be identified in Italy, Russia, China, Brazil, and Indonesia.