At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices.
The most affected devices are located in China, Brazil, Russia, Italy, Indonesia, with the U.S. coming in at number eight, cybersecurity firm Eclypsium said in a report shared with The Hacker News.
“These devices are both powerful, [and] often highly vulnerable,” the researchers noted. “This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka ‘C2’), traffic tunneling, and more.”
MikroTik devices are an enticing target not least because there are more than two million of them deployed worldwide, posing a huge attack surface that can be leveraged by threat actors to mount an array of intrusions.
Indeed, earlier this September, reports emerged of a new botnet named Mēris that staged a record-breaking distributed denial-of-service (DDoS) attack against Russian internet company Yandex by using network devices from Mikrotik as an attack vector by exploiting a now-addressed security vulnerability in the operating system (CVE-2018-14847).
This is not the first time MikroTik routers have been weaponized in real world attacks. In 2018, cybersecurity firm Trustwave discovered at least three massive malware campaigns exploiting hundreds of thousands of unpatched MikroTik routers to secretly install cryptocurrency miners on computers connected to them. The same year, China’s Netlab 360 reported that thousands of vulnerable MikroTik routers had been surreptitiously corralled into a botnet by leveraging CVE-2018-14847 to eavesdrop on network traffic.
images from Hacker News