Following a serious flaw, MikroTik routers were discovered to be potentially vulnerable. The vulnerability can be exploited, resulting in DDoS attacks and malware infiltrations. There are 300,000 IP addresses associated with devices that have been discovered to be vulnerable to numerous remotely exploitable security issues.
Bugs have been corrected after the discovery, but because this is a common provider of routers and other wireless ISP devices, users should ensure they follow the manufacturer's instructions; several items may still be subject to these three significant flaws. Exploiting remote code execution bugs can result in a complete device takeover, which is still a very real possibility.
MikroTik is a Latvian company that has supplied over 2 million gadgets worldwide. China, Brazil, and Italy have the most afflicted devices. However, the items' popularity and impressive features made them appealing to attackers and thieves.
The researchers noted: 'This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks to command-and-control (aka 'C2'), traffic tunneling, and more.'
Because of the large number of current devices and the potential for leverage, hackers see this as a lucrative opportunity, posing a significant attack risk. Threat actors attempt to take advantage of these possibilities to get access to systems and deploy malicious programs or viruses. Earlier this year, botnets were developed by exploiting a security flaw in the os.
The Meris botnet launched a denial-of-service assault on Yandex by exploiting a specific vulnerability in MikroTik. The cybercriminals targeted a Russian internet company and leveraged serious security vulnerabilities in devices manufactured in 2018 and 2019 that had not been adequately fixed.
The vulnerabilities discovered now are listed below:
- CVE-2019-3977 – critical score of 7.5. The router OS's insufficient validation allows a reset of all usernames and passwords.
- CVE-2019-3978 – CVS score of 7.5. Protection of the critical resource leads to poisoning of the cache.
- CVE-2018-7445 – CVS score- 9.8. SMB buffer overflow flaw.
- CVE-2018-74847 – CVS score – 9.1. Directory traversal vulnerability in the WinBox interface.
Researchers discovered at least 20,000 workstations that had been compromised as a result of these vulnerabilities, which had injected bitcoin mining malware scripts into webpages that users browsed, demonstrating the capability of exploiting routers for malware code injection and tunneling. Compromised routers' capacity to insert malicious material, tunnel, copy or reroute traffic can be leveraged in a variety of highly harmful ways.
Reportedly, DNS poisoning can result in a remote connection to a malicious site or the introduction of workers to the computer in the middle. At this point, attackers can employ a variety of tools and tactics to achieve their objectives. Sensitive data can be intercepted, company traffic can be tunneled to another location, and malicious content can be inserted into the tunnel.
Since these MikroTik devices were not the only ones that are vulnerable and exploitable, devices must be updated and patched regularly.
