At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices.
The most affected devices are located in China, Brazil, Russia, Italy, Indonesia, with the U.S. coming in at number eight.

These devices are both powerful, [and] often highly vulnerable,” the researchers noted. “This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka ‘C2’), traffic tunneling, and more.”
MikroTik devices are an enticing target not least because there are more than two million of them deployed worldwide, posing a huge attack surface that can be leveraged by threat actors to mount an array of intrusions.

Indeed, earlier this September, reports emerged of a new botnet named MÄ“ris that staged a record-breaking distributed denial-of-service (DDoS) attack against Russian internet company Yandex by using network devices from Mikrotik as an attack vector by exploiting a now-addressed security vulnerability in the operating system (CVE-2018-14847).

The list of four vulnerabilities discovered over the last three years and which could enable full takeover of MikroTik devices is below –

  • CVE-2019-3977 (CVSS score: 7.5) – MikroTik RouterOS insufficient validation of upgrade package’s origin, allowing a reset of all usernames and passwords
  • CVE-2019-3978 (CVSS score: 7.5) – MikroTik RouterOS insufficient protections of a critical resource, leading to cache poisoning
  • CVE-2018-14847 (CVSS score: 9.1) – MikroTik RouterOS directory traversal vulnerability in the WinBox interface
  • CVE-2018-7445 (CVSS score: 9.8) – MikroTik RouterOS SMB buffer overflow vulnerability

In addition, Eclypsium researchers said they found 20,000 exposed MikroTik devices that injected cryptocurrency mining scripts into web pages that users visited.
Prevent Data Breaches
“The ability for compromised routers to inject malicious content, tunnel, copy, or reroute traffic can be used in a variety of highly damaging ways,” the researchers said. “DNS poisoning could redirect a remote worker’s connection to a malicious website or introduce a machine-the-middle.”

“An attacker could use well-known techniques and tools to potentially capture sensitive information such as stealing MFA credentials from a remote user using SMS over WiFi. As with previous attacks, enterprise traffic could be tunneled to another location or malicious content injected into valid traffic,” the researchers added.
MikroTik routers are far from the only devices to have been co-opted into a botnet. Researchers from Fortinet this week disclosed how the Moobot botnet is leveraging a known remote code execution (RCE) vulnerability in Hikvision video surveillance products (CVE-2021-36260) to grow its network, and use the compromised devices to launch distributed denial-of-service (DDoS) attacks.