Slashdot Mirror
MikroTik Routers Are Forwarding Owners' Traffic To Unknown Attackers (bleepingcomputer.com)
Attackers have been exploiting vulnerabilities in MikroTik routers to forward network traffic to a handful of IP addresses under their control. "The bug is in Winbox management component and allows a remote attacker to bypass authentication and read arbitrary files," reports Bleeping Computer. "Exploit code is freely available from at least three sources from at least three sources." From the report: 360Netlab announced in a blog post today that more than 7,500 MikroTik routers across the world are currently delivering their TZSP (TaZmen Sniffer Protocol) traffic to nine external IP addresses. According to the researchers, the attacker modified the device's packet sniffing settings to forward the data to their locations. "37.1.207.114 is the top player among all the attackers. A significant number of devices have their traffic going to this destination," Qihoo experts inform.
The analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment. The largest number of compromised devices, 1,628, is in Russia, followed by Iran (637), Brazil (615), India (594) and Ukraine (544). The researchers say that security outfits in the affected countries can contact them at netlab[at]360.cn for a full list of IPs.
The analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment. The largest number of compromised devices, 1,628, is in Russia, followed by Iran (637), Brazil (615), India (594) and Ukraine (544). The researchers say that security outfits in the affected countries can contact them at netlab[at]360.cn for a full list of IPs.
have you inspected the source code? No, so do not use them. Just put your PC on the internet and use hosts files protection from /.
when you don't buy routers from american companies. at least then you know exactly who's getting your data.
I can't realistically have an internet connection and router for each device.
and probably have passwords on clear text too
naughty naughy
from at least three sources? Does that make 6 or 9 sources?
I don't use Winbox.
"I don't know, therefore Aliens" Wafflebox1
So they're targeting the non-SSL versions of services.
And SNMP being included is somehow a mystery? If you were the sort who wanted illicit access to people's systems, networks, and communications why wouldn't you want to also catch their SNMP strings? It's notoriously insecure yet shockingly common; a great way to dig deeper into a compromised site.
I can't realistically have and pay for an internet connection and modem for each device.
Or you know, just drop and ban for 24 hours (drop) any source IP who is not part of an established connection. And drop all incoming TCP SYN.
that's all.
FTFY. Don't use no-name brands from Latvia.
Last month broke the news of this same flaw being exploited. But it was used in a different and clever way. Basicaly the attacker enabled the proxy feature in the router and was injecting the coinhive script on every page of website you visited. But this injection of the pages was enabled for just some time, so it didn't overload the equipament. Some analist of the attack saw alterations in the behavior, when the script was injected only on 404 error pages and with this it was undetected for even more time...
Think about that for a moment. Lots of ISPs on developing crountries rely on this brand, cause they are cheap. Probably millions of customers computers of clients connected to this infecteds routers ISPs were mining cryptocurrency.
And I didn't see the news here.
Is as a raw device with something like OpenWRT or other customized firmware
This was patched back in April and only affected people who left services open to the internet and not firewalled off. Even the default config protects these with firewall rules.
In short, you had to go out of your way to screw up the config to allow this to happen AND not patch it when it was known about.
Meanwhile, with Cisco, you get deliberate backdoors installed from the factory.
The analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic
Uhh, that's 143 for IMAP. 144 is for "NewS window system" or "Universal Management Architecture".
It is pitch black. You are likely to be eaten by a grue.
Patches were released by Mikrotik in April. The upgrades are easy - just a few mouse clicks. Configuring automatic upgrades is also easy. Out of the box, the routers come with a secure WAN configuration.
Given this scenario, if users do not upgrade their router for a significant period of time, and/or configure the routers in a insecure manner, I would not apportion much blame on the supplier.
All routers have had vulnerabilities. The question is how quickly the manufacturer fixes them, if the vulnerabilities were a result of malice or incompetence, is what I would use to judge the manufacturers. And Mikrotik would get one of the top ranks on these parameters. The article does not bring out these details.
It's more complicated than that. Using "System>Auto Upgrade" doesn't upgrade anything. You need to go to "System>Packages>Check for Updates" and then manually apply the updates. RouterOS is powerful but also complicated and it is difficult for the average user to accomplish even the most basic tasks, like keeping the router's firmware up to date.
just plug in one at the time and remember to copunt to ten each time before and after