Threat Actors Targeting MikroTik Routers, Devices

Threat actors are targeting a significant number of vulnerable MikroTik wireless and IoT devices, according to new research by Eclypsium.

In a blog post Thursday, the hardware security vendor cited several reasons behind MikroTik's popularity with attackers, which researchers have been studying since September. Just after Eclypsium began its research, a record-setting DDoS attack powered by the Meris botnet was observed using vulnerable MikroTik devices.

The Latvia-based manufacturer of routers, IoT and wireless ISP devices has a track record of bugs that includes "three CVEs from the past three years that can lead to remote code execution and a complete takeover of a device." Eclypsium researchers found that customers rarely updated those devices even when a patch was available, and more than 2 million such products are deployed globally.

Threat actors are taking advantage of the unpatched devices, according to Eclypsium, to generate powerful DDoS attacks, use as command-and-control infrastructure, tunnel malicious traffic and more.

"While threat actors have the tools to find vulnerable MikroTik devices, many enterprises do not," the research blog said. "Given the challenges of updating MikroTik, there are large numbers of devices with these 2018 and 2019 vulnerabilities."

Scott Scheferman, principal cyber strategist at Eclypsium, told SearchSecurity those challenges include both technical and awareness issues. On the technical front, Scheferman said MikroTik routers do have auto-update capabilities, but users must properly configure the devices and opt in to enable the feature -- and users most apparently don't.

The type of vulnerabilities, including remote code execution (RCE) flaws, contributes to the technical difficulties. "One of the vulnerabilities from 2019 would allow you to downgrade [the firmware] as an attacker," Scheferman said.

From an awareness standpoint, the COVID-19 pandemic both improved security knowledge and created new concerns. While enterprises have an increased awareness of security risks to remote employees, Scheferman said home users, which rose significantly during the pandemic, have not reached that level and are still using vulnerable small office and home office (SOHO) equipment.

Vlad Babkin, a security researcher at Eclypsium, agreed that customer awareness is lacking. Babkin found that surprising for several reasons, one being users who choose MikroTik devices are likely opting for a more powerful networking device and would be expected to learn how to properly use it.

"They also have normal update buttons that the users can do manually, and that actually brings up the update pretty much automatically, so I don't know why it is this way," Babkin said.

Eclypsium noted that in addition to SOHO products, MikroTik wireless products are also used by ISPs. Luckily, patching rates appear to be higher with those enterprise customers; Babkin said the researchers found an ISP that was built on top of MikroTik.

Impact of Meris botnet

While the issue of having unpatched vulnerabilities despite available updates is not new, the research further highlighted associated risks for wireless and IoT devices. A known threat example was found in the Meris malware, a botnet that infected a "record-breaking" number of IoT devices, including MikroTik routers. Despite awareness and news reports, the attacks on MikroTik devices did not appear to slow down.

Scheferman noted several hypotheses, including an affiliate-as-a-service model where attribution becomes difficult. Threat actors switching tactics during COVID-19 is another, specifically the Clop ransomware gang, which realized EDR and XDR were improving, according to Scheferman.

"All these IoT devices inside enterprises and at the home edge are the security nexus right now, versus your traditional story from pre-2019, which was all about just the endpoint, EDR and XDR. The actors are shifting to that en masse," Scheferman said.

"Meris was able to use SOCKS4 proxy of the MikroTik router and tunnel attack traffic to their targets," the research blog said. "The capabilities demonstrated in these attacks should be a red flag for enterprise security teams. The ability for compromised routers to inject malicious content, tunnel, copy, or reroute traffic can be used in a variety of highly damaging ways."

Though Eclypsium researchers identified exploitation of the flaws in September, they are still getting exploited.

While mapping out exposure in the real world and collecting threat data, the researchers found "around 20,000 devices with proxy open and injecting mining scripts into web pages that the user visited." From there, they followed with other security researchers to determine any ongoing campaigns related to MikroTik.

"We found that Meris malware was continuing to infect MikroTik devices, en masse which correlated with our previous information," the research blog said.

As a next step, researchers hunted the botnets to determine which hosts were already infected or had the potential to be, and then created a top four list of the most impactful CVEs. This narrowed their research down to two options: "devices with Winbox protocol exposed and devices with RouterOS version 6.45.6." Using the Shodan database, Eclypsium researchers then built a data set of "around 300,000 IP addresses vulnerable" to at least one of the exploits.

"The data was very irregular in terms of distribution, with some of the older versions accounting for large numbers of vulnerable devices. This highlights the large number of MikroTik devices that are simply never being updated," the research blog said.

Security recommendations

It's difficult to detect if a MikroTik device is updated, but also whether it's actually been compromised. To that end, Eclypsium developed a free tool to help administrators determine if their MikroTik devices are vulnerable or infected with malware like the Meris botnet. Additional recommendations from MikroTik include regular upgrades, using a secure VPN for remote access and to never assume a local network can be trusted.

Scheferman said they are not singling out MikroTik, as the scope of the problem is massive across all OEMs. There's not an OEM out there that hasn't had an RCE type of vulnerability, he said. For example, a zero-day vulnerability in Pulse Secure VPN devices was exploited by threat actors in attacks against government and financial organizations in April.

"What makes this story interesting for me is there's 2 million devices out there and 1.88 million of those have their configuration port facing the internet and that's not there by default. So that's not a MikroTik problem; that's a bad guy problem," Scheferman said.

Additionally, Scheferman believes there are ways for the tech industry to address these challenges. "I think there's a call to arms to actually perform the kind of things that you can do about this problem, rather than just write it off as, 'It's an end-user awareness problem,'" he said.