Threats targeting MikroTik routers and devices

Threat actors are targeting a significant number of vulnerable MikroTik wireless and IoT devices, according to a new study from Eclypsium.

In a blog post Thursday, the hardware security vendor cited several reasons for MikroTik’s popularity with attackers, which researchers have been studying since September. Right after Eclypsium began its research, a record-breaking DDoS attack powered by the Meris botnet was observed using vulnerable MikroTik devices.

The Latvian maker of wireless routers, IoT devices and ISPs has a history of bugs that include “three CVEs from the past three years that may lead to remote code execution and a complete takeover of a device”. Eclypsium researchers found that customers rarely update these devices, even when a patch is available, and more than 2 million of these products are deployed worldwide.

According to Eclypsium, malicious actors take advantage of unpatched devices to generate powerful DDoS attacks, use them as command and control infrastructure, tunnel malicious traffic and more.

“While threat actors have the tools to find vulnerable MikroTik devices, many companies don’t,” the research blog said. “Considering the challenges of updating MikroTik, there are a large number of devices with these 2018 and 2019 vulnerabilities.”

Scott Scheferman, senior cyberstrategist at Eclypsium, told SearchSecurity that these challenges include both technical and awareness issues. Technically, Scheferman said MikroTrik routers have auto-update capabilities, but users need to properly configure devices and choose to enable the feature – and users apparently don’t. .

The type of vulnerabilities, which include remote code execution (RCE) vulnerabilities, contribute to the technical difficulties. “One of the vulnerabilities of 2019 would allow you to downgrade [the firmware] as a striker, ”Scheferman said.

From an awareness perspective, the COVID-19 pandemic has both improved security knowledge and created new concerns. As businesses become more aware of the security risks to remote workers, Scheferman said home users, which increased dramatically after the pandemic, have not reached that level and are still using vulnerable equipment from the pandemic. small office and home office (SOHO).

Vlad Babkin, security researcher at Eclypsium, agreed that customer awareness is lacking. Babkin found this surprising for several reasons, one being that users who choose MikroTik devices are likely opting for a more powerful network device and should learn how to use it properly.

“They also have normal update buttons that users can do manually, and that makes the update appear almost automatically, so I’m not sure why this is so,” Babkin said.

Eclypsium noted that in addition to SOHO products, MikroTik wireless products are also used by ISPs. Fortunately, patch rates appear to be higher with these corporate clients; Babkin said researchers found an ISP built on top of MikroTik

Impact of the Meris botnet

While the issue of unpatched vulnerabilities despite available updates is not new, research has also highlighted the associated risks for wireless and IoT devices. An example of a known threat was found in the Meris malware, a botnet that infected a “record” number of IoT devices, including MikroTik routers. Despite the awareness and reporting, attacks on MikroTik devices did not appear to be slowing down.

Scheferman noted several assumptions, including an affiliate-as-a-service model where attribution becomes difficult. Threatening actors who switch tactics during COVID are another, particularly the Clop ransomware gang, who Scheferman says realized that EDR and XDR were improving.

“All of those IoT devices inside businesses and at the edge of the home are the security link right now, compared to your traditional pre-2019 story, which was only about the endpoint, EDR, and XDR. . The actors are turning to this en masse. Scheferman.

“Meris was able to use the MikroTik router’s SOCKS4 proxy and tunnel attack traffic to their targets,” the research blog said. “The capabilities demonstrated in these attacks should be a wake-up call for corporate security teams. The ability of compromised routers to inject malicious content, tunnel, copy, or redirect traffic can be used in a variety of very damaging ways. “

Although Eclypsium researchers identified exploitation of the loopholes in September, they are still being exploited.

While mapping real-world exposure and collecting threat data, researchers found “approximately 20,000 devices with open proxies and injecting data mining scripts into web pages the user visited. “. From there, they followed up with other security researchers to determine any ongoing campaigns related to MikroTik.

“We discovered that Meris malware continued to infect MikroTik devices, en masse, which was consistent with our previous information,” the research blog said.

In the next step, the researchers tracked down the botnets to determine which hosts were already infected or had the potential to be, and then created a list of the top four most impactful VECs. This narrowed their search down to two options: “devices with Winbox protocol exposed and devices with RouterOS version 6.45.6”. Using the Shodan database, Eclypsium researchers then constructed a dataset of “about 300,000 IP addresses vulnerable” to at least one of the exploits.

“The data was very spotty in terms of distribution, with some of the older versions representing a large number of vulnerable devices. This highlights the large number of MikroTik devices that just never get updated,” the blog said. of research.

Safety recommendations

It is difficult to detect whether a MikroTik device is updated, but also whether it has actually been compromised. To this end, Eclypsium has developed a free tool to help administrators determine if their MikroTik devices are vulnerable or infected with malware like the Meris botnet. Additional recommendations from MikroTik include regular upgrades, using a secure VPN for remote access, and never assume a local network is reliable.

Scheferman said they couldn’t distinguish MikroTik because the extent of the problem is huge for all OEMs. There isn’t an OEM out there that hasn’t had some type of RCE vulnerability, he said. For example, a zero-day vulnerability in Pulse Secure VPN devices was exploited by malicious actors in attacks on government and financial organizations in April.

“What makes this story interesting to me is that there are two million devices and 1.88 million of them have their configuration port facing the Internet and it is not there by default. So it’s not a MikroTik problem, it’s a villain problem, ”Scheferman said. .

Additionally, Scheferman believes there are ways for the tech industry to address these challenges. “I think there is a call to arms to actually do the kinds of things you can do about this problem, rather than just cancel it because it is an awareness issue of the end user, ”he said.

Source link