Researchers warn about continuous abuse of unpatched MikroTik routers

Security researchers from Eclypsium have developed a tool that enterprise administrators can use to scan their corporate networks or their remote employees’ home networks for unpatched MikroTik routers that have been continuously abused in recent years by different cybercriminal groups.

MikroTik is a Latvian company that manufactures networking devices for the home, business and ISP markets around the world. These include routers, switches and wireless access points. What makes MikroTik devices particularly popular is the computing power and features they offer at a very competitive price point compared to home office and enterprise-grade devices from other manufacturers.

Researchers from firmware and hardware security firm Eclypsium became interested in studying the attack surface of internet exposed MikroTik devices after operators of the notorious TrickBot botnet used compromised MikroTik routers to regain control of the botnet after Microsoft managed to take over and shut down the botnet’s traditional command-and-control servers last year. Eclypsium had previously researched TrickBot, a Trojan known to serve as a malware delivery platform, including for the Ryuk ransomware, when its creators added a module capable of infecting the low-level firmware (UEFI) of victim computers.

A history of MikroTik routers abuse

Several serious vulnerabilities and exploits have been identified in MikroTik’s RouterOS firmware over the past few years that allow devices to be compromised both from the internet or from inside local networks without authentication. Some of these vulnerabilities have publicly available exploits that have been integrated into various botnets and other attacks.

The flaws include:

• CVE-2018-7445, a buffer overflow in the RouterOS (version 6.41.3 and lower) SMB service when processing NetBIOS session request messages
• CVE-2018-14847, a directory traversal flaw that can be exploited through the RouterOS (version 6.42 and lower) WinBox management interface without authentication to read credentials and write arbitrary files
• CVE-2019-3978 and CVE-2019-3977 a DNS cache poisoning issue and insufficient firmware upgrade validation that can be used to downgrade MikroTik routers to older and vulnerable RouterOS versions

The US Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2018-14847 in its catalog of commonly exploited vulnerabilities. MikroTik routers have been a popular target for years for both cybercriminals and more sophisticated attackers. The Vault 7 database of offensive exploits believed to be used by the CIA that was published by Wikileaks in 2017 included an exploit for MikroTik routers codenamed ChimayRed. In 2018, the FBI and DOJ announced the disruption of a highly sophisticated botnet called VPNfilter that infected over 500,000 routers from multiple manufacturers, including MikroTik. The botnet was attributed to a group tracked by the security industry as APT28 or Fancy Bear, and which is believed to be the hacking division of Russia’s foreign intelligence service, the GRU. In January 2019, exploit acquisition platform Zerodium, which caters to government agencies, offered over $100,000 for working zero-day exploits in MikroTik RouterOS. Compromised MikroTik routers have been used to inject Web-based cryptomining scripts into HTTP traffic passing through them and make up the Meris botnet. This botnet has been used to launch some of the biggest DDoS attacks in recent years, including one that peaked at 17.2 million requests per second against a Cloudflare customer.

Meris exploits CVE-2018-14847 to infect MikroTik routers that use outdated firmware, but there is also evidence that a Windows Trojan and botnet called Glupteba is attacking MikroTik routers from inside local networks to deploy Meris on them. Google just announced an operation that aimed to take down the Glupteba botnet.

How many vulnerable MikroTik routers are out there?

The Eclypsium researchers used the Shodan search engine and found over 2 million MikroTik routers that have one of their management interfaces exposed to the internet: SSH, WinBox or the HTTP API. Based on their RouterOS versions, they estimate that around 300,000 are vulnerable to one or more of the four previously mentioned vulnerabilities. The vulnerable routers are spread around the world, but the highest concentrations were observed in China, Brazil, Russia, Italy and Indonesia. The U.S. was in eighth place.

Many more outdated and vulnerable routers that don’t have their management interfaces exposed to the entire world are likely active, which is an insecure configuration in itself and not the default setting. While such routers can’t be targeted directly from the internet, they can still be attacked from inside the local networks they serve and the case of Glupteba, which has a module specifically for this purpose, is proof that this does happen.

This is also one reason why Eclypsium decided to build an open-source tool that would allow users to check whether MikroTik routers are infected by the Meris botnet. The script can detect if the device contains the critical vulnerability CVE-2018-14847 and if a scheduler script associated with Meris exists on the device. The researchers warn that the tool should only be used against devices that the user has the right to access, because it essentially leverages the exploit itself to extract credentials and perform the additional checks.

At a time when many employees are working from home, the security of those home networks and the devices that route traffic for those networks becomes a legitimate concern. By controlling a router, attackers can launch sophisticated and hard to detect attacks against the network’s users. Traffic containing sensitive information can be intercepted if not encrypted, users can be redirected to phishing pages via DNS, malicious scripts can be injected into websites visited by users if those pages don’t use HTTPS, and more. In the future, we might get to a point where businesses give enterprise-managed routers to their remote employees like they distribute work laptops. Until such a time comes, if ever, enterprises might want to make sure that the current routers their employees have at home don’t have known vulnerabilities, the Eclypsium researchers tell CSO.

The Eclypsium tool allows an enterprise to say: Are my home users using vulnerable MikroTik routers and are the devices just vulnerable or are they compromised already? Scott Scheferman, principal cyber strategist at Eclypsium, tells CSO, “Because you can have a device that has valid correct firmware, but which was maliciously configured. Because of that your normal vulnerability scanners are not going to know whether the device is already compromised in terms of being maliciously configured.”

Most endpoint management solutions allow organizations to monitor the patch level and configuration of an employee’s machine, but when an employee is working remotely for an extended time, those checks should arguably also extend to the security of the network environments they’re working from.

It’s not only MikroTik

The Eclypsium researchers looked at MikroTik routers because they seem to be a popular target for various groups of attackers and are popular with both home office users and businesses. However, they pointed out that vulnerabilities are often found and patched in networking devices from all manufacturers, including enterprise ones. Over the past two years there have been multiple attacks that exploited vulnerabilities in enterprise VPN appliances. In fact, MikroTik generally has a good security response, publishing security advisories, releasing patches and communicating with users through its community forums and its blog. The problem with most embedded devices including networking ones like routers is that users are not as likely to update their firmware as they update their computer’s operating system or the software they use.

“There is no new vulnerability in RouterOS and there is no malware hiding inside the RouterOS filesystem even on the affected devices,” MikroTik wrote in September in an advisory about the Meris botnet. “The attacker is reconfiguring RouterOS devices for remote access, using commands and features of RouterOS itself. Unfortunately, closing the old vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties and look for scripts that you did not create.”

“We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices,” the company said. “We are working on other solutions, too.”