Hundreds of thousands of MikroTik devices still vulnerable to botnets

silversurfer

Level 83
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,278
Approximately 300,000 MikroTik routers are vulnerable to critical vulnerabilities that malware botnets can exploit for cryptomining and DDoS attacks.

MikroTik is a Latvian manufacturer of routers and wireless ISPs who has sold over 2,000,000 devices globally.

In August, the Mēris botnet exploited vulnerabilities in MikroTik routers to create an army of devices that performed a record-breaking DDoS attack on Yandex. MikroTik explained that the threat actors behind the attack exploited vulnerabilities fixed in 2018 and 2019, but users hadn't applied.

Researchers have found that far too many remain vulnerable to three critical remote code execution flaws that can lead to a complete device takeover despite all of these warnings and attacks. As illustrated in a report published by Eclypsium today, the situation remains highly problematic.
Researchers from Eclypsium scanned the Internet for MikroTik devices that are still vulnerable to the following four CVEs:
  • CVE-2019-3977: Remote OS downgrade and system reset. CVSS v3 – 7.5
  • CVE-2019-3978: Remote unauthenticated cache poisoning. CVSS v3 – 7.5
  • CVE-2018-14847: Remote unauthenticated arbitrary file access and write. CVSS v3 – 9.1
  • CVE-2018-7445: Buffer overflow enabling remote access and code execution. CVSS v3 – 9.8
The devices need to run RouterOS version 6.45.6 or older to be eligible for exploitation and have their WinBox protocol exposed to the Internet.