Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Mysterious Grey-Hat Is Patching People's Outdated MikroTik Routers (zdnet.com)

Posted by BeauHD on from the just-trying-to-help dept.

An anonymous reader quotes a report from ZDNet: A Russian-speaking grey-hat hacker is breaking into people's MikroTik routers and patching devices so they can't be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned. The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already. "I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions." But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. The vigilante server administrator says he's been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April.

74 comments

  1. Not the sysadmin they want.. by Rick+Schumann · · Score: 5, Insightful

    ..but the sysadmin they deserve?
    Regardless, I approve of this. Bravo, Sir.

    1. Re:Not the sysadmin they want.. by ole_timer · · Score: 1

      bravo zulu in the navy...not sure what that means...

      --
      nothing to see here - move along
    2. Re:Not the sysadmin they want.. by Gravis+Zero · · Score: 1, Insightful

      Not the sysadmin they want but the sysadmin they deserve?

      The sysadmin they deserve is Janit0r. Janit0r took devices offline permanently with BrickerBot because people couldn't be bothered to maintain and secure their devices.

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:Not the sysadmin they want.. by K.+S.+Kyosuke · · Score: 1

      The Round-Robin Hood...

      --
      Ezekiel 23:20
    4. Re:Not the sysadmin they want.. by Narcocide · · Score: 4, Insightful

      No, that guy is just a vandal. This guy is a hero.

    5. Re: Not the sysadmin they want.. by Anonymous Coward · · Score: 0

      Yeahhh, what Alexey is doing is like passing a house with the front door open, and walking over and closing it. Janit0r is taking the door off and bricking up the frame.

    6. Re:Not the sysadmin they want.. by Anonymous Coward · · Score: 0

      Regardless of his subjective intentions, he is wrong for altering other peoples' property. He has no idea how or why someone might have their equipment configured a certain way and he has no right to change it.

  2. 100,000 routers? by Anonymous Coward · · Score: 0

    Did MicroTik even sell that many routers? Really?

    1. Re:100,000 routers? by ole_timer · · Score: 2

      they've probably sold millions of devices in the last 20+ years...

      --
      nothing to see here - move along
  3. outraged...but patched by ole_timer · · Score: 1, Interesting

    they were smart enough to login and see the note but the router was still unpatched? maybe that was the bad guys?

    --
    nothing to see here - move along
    1. Re:outraged...but patched by Anonymous Coward · · Score: 0

      Blackhats be like FU random do-gooder!

    2. Re:outraged...but patched by Anonymous Coward · · Score: 1

      They can't log in remotely once he put the note there, so no.

    3. Re:outraged...but patched by Mascot · · Score: 1

      Most people would log in to their own home routers from... home. As in, not remotely.

    4. Re:outraged...but patched by Mascot · · Score: 1

      Oh, wait, I misread. Or rather, misunderstood. Disregard.

    5. Re:outraged...but patched by ole_timer · · Score: 1

      so would the bad guys...cue twilight zone music...

      --
      nothing to see here - move along
    6. Re:outraged...but patched by Anonymous Coward · · Score: 0

      Well they could still use a DNS reflection attack from another locally-accessible network resource, so it of course could still be blackhats. But I doubt blackhats would dox themselves complaining about a patch... mostly...

    7. Re:outraged...but patched by Narcocide · · Score: 2

      That was my first thought too, but it could also just be undereducated "power users" who had just lost remote access to their LAN without realizing the security implications of everyone else having access, too.

    8. Re:outraged...but patched by Anonymous Coward · · Score: 0

      Probably they only looked because the outside access to the local network got blocked

  4. Ah yes, outraged... by Anonymous Coward · · Score: 2, Informative

    When people can't admit they were morons. They are the ones who ran unsecured hardware and didn't bother patching it. They should be thanking him, he may have prevented many actual scumbags from exploiting their hardware.

    1. Re:Ah yes, outraged... by TheReaperD · · Score: 3, Interesting

      I remember once that I switched a bad security setting with the intention of switching it right back. Well, I forgot to switch it back. Thankfully a guy from 4chan hacked my system and left me a note to fix it without doing any damage. Left him a thank you note. If you're bitching about this, you're an ungrateful asshole.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    2. Re:Ah yes, outraged... by Anonymous Coward · · Score: 0

      If you get a note from a hacker on your router, you should throw it in the garbage, no matter if it looks well intentioned or not.

  5. BeautifulOFHeaven by tanveer1979 · · Score: 1

    The Hero we need, but do not deserve

    --
    My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
    FB : https://www.facebook.com/TanveersPhotography
  6. Should have gotten Janit0r. by Gravis+Zero · · Score: 2, Interesting

    I'll say it plainly, if you do not maintain your devices then anyone should be free to brick them. The obvious argument is "but it's not yours!" but this disregards that like an unvaccinated child, it puts everyone else at risk. The only alternative to this is to hack the devices so that they permanently DoS the manufacturer and sellers of the device. The situation will not improve until companies are forced to make devices secure.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Should have gotten Janit0r. by Anonymous Coward · · Score: 0

      I'll say it plainly, if you do not maintain your devices then anyone should be free to brick them.

      Have you heard of the term "Zero Day?" Everyone deserves bricked devices with that silly rule.

    2. Re:Should have gotten Janit0r. by Anonymous Coward · · Score: 0

      "The situation will not improve until companies are forced to make devices secure."

      Has it occurred to you that you're advocating forced updates/reboots a la Windows 10? Because that's the only way any device will be secure in perpetuity.

    3. Re: Should have gotten Janit0r. by Aristos+Mazer · · Score: 1

      If it is a zero day then thereâ(TM)s no âoefail to maintain.â This was fixable back in April but these people did not apply. Thatâ(TM)s a failure to maintain.

    4. Re:Should have gotten Janit0r. by Anonymous Coward · · Score: 0

      It's still not yours, and stop blaming the victims.

    5. Re:Should have gotten Janit0r. by I-am-a-Banana · · Score: 2

      This is like saying if I put my bike in my backyard, go in the house to take a leak and find my bike stolen, it is completely my fault for it being stolen and anyone should be free to steal it. This is BS. There may be many reason why an update was not performed. Two wrongs do not make a right. Making changes to someone's property without their permission is wrong. Period.

    6. Re:Should have gotten Janit0r. by Anonymous Coward · · Score: 0

      It's a piece of shit toy router that poses a danger to the entire internet. Sure it's illegal and morally gray.
      But fuck you buddy if you have a bike made of Hep C and I come over to your house and pour gas on it you deserve it.

    7. Re: Should have gotten Janit0r. by barc0001 · · Score: 1

      So what's the line? 1 week? 1 month? 3 months? Did this get a lot of attention? Would people have reasonably heard about it by now?

    8. Re:Should have gotten Janit0r. by Anonymous Coward · · Score: 0

      So, following your argument, rather than guerilla vaccinate (what this guy is doing), we should kill the child. Not the parents, just the child.

      Nice worldview you got there mate.

    9. Re:Should have gotten Janit0r. by quonset · · Score: 2, Insightful

      I'll say it plainly, if you do not maintain your devices then anyone should be free to brick them.

      I'll say it plainly, if you do not lock every single door and bolt down your windows then anyone should be free to steal your stuff.

      I'll say it plainly, if you do not lock your car then anyone should be free to steal it.

      I'll say it plainly, if you do not hold onto your phone every second you are out then anyone should be free to steal it.

    10. Re:Should have gotten Janit0r. by Anonymous Coward · · Score: 0

      How do I hit the factory reset button on a stolen item?

    11. Re:Should have gotten Janit0r. by epyT-R · · Score: 3, Insightful

      Theft is not the same thing as breaking and entering so those are bad analogies. In this case, he fixed the issue you couldn't be bothered to fix for the sake of everyone else. It's still breaking and entering, but more like a neighbor breaking in to shut the gas off before your house destroys the neighborhood. I'd look at it as a favor...then I'd wipe the device and reflash and/or replace as necessary.

    12. Re: Should have gotten Janit0r. by djinn6 · · Score: 1

      By bricking the devices, it'll cost manufacturers a bunch of money on warranty replacements and hopefully force them to write more secure software in the future, or at least put in some mechanism for periodic updates.

    13. Re: Should have gotten Janit0r. by Anonymous Coward · · Score: 0

      It's more like if you left a loaded gun in the front yard and it gets stolen. Pwned routers are a menace to the rest of the internet.

    14. Re: Should have gotten Janit0r. by Aristos+Mazer · · Score: 1

      I bet we could work up a reasonable schedule. Thereâ(TM)s plenty of regulatory frameworks from automotive standards, zoning codes, and various industries. It would take some study, but I think we could identify a timeframe â" you run a device, itâ(TM)s your job to keep it up to spec, no different than a car passing annual inspection.

    15. Re:Should have gotten Janit0r. by Anonymous Coward · · Score: 0

      I'll say it plainly, if you do not maintain your devices then anyone should be free to brick them.

      Some finer distinctions must be made due to english sucking the way it does.

      No, it should not be codified to grant anyone a right to brick a vulnerable device.
      (Aka free as freedom)

      Yes, anyone CAN brick a vulnerable device, and after enough time the chance will reach 100% that it will be bricked.
      (aka free as in able to)

      This distinction matters.

      That is why it isn't a wise idea to use a vulnerability to properly fix a device, as that isn't and shouldn't be a right others are granted.

      As the device owner however, only a complete fool and or idiot could possibly think anything other than it being exploited would happen.
      This is why it is unwise to let it be known you did anything to it, because stupid people exist.

      I say if you are unable to hide your identity and *properly* play the role of a criminal, while doing actions that are criminal, then you are bad at being a criminal and shouldn't put yourself in the position to be labeled and treated as one.

      Don't fix it and let it be known you fixed it. People will treat you as a criminal due to taking criminal actions.

      Hack it only while acting like a criminal, aka hiding the fact you did it. This act will happen no matter what, the only things in question is "by who" and "what for"
      Whoever the "who" is that gets there first, it is that persons "what for" that takes place.
      If you want your own "what for" to be what happens, you just need to get to it first.

      But make no mistake, the "what for" makes absolutely no difference to the fact ALL of those "whos" have no rights to do anything to it, and will all be treated equally.

      Either that isn't acceptable and so you shouldn't be in the list of "whos", or you accept it and must not act like a fool and expect to be treated any differently. That means preparing to be treated like a criminal and taking the same precautions any successful criminal should.

    16. Re: Should have gotten Janit0r. by barc0001 · · Score: 1

      > you run a device, itâ(TM)s your job to keep it up to spec, no different than a car passing annual inspection.

      The problem with that line of thinking is that many devices are seen as appliances in the minds of many. This MikroTik one is a bit more of a commerical router, but similar vulnerabilities have been discovered in many off the shelf routers grandmas buy at Best Buy. It's simply not reasonable to expect your average Joe or Jane to keep the router firmware up to date when it was probably a Herculean struggle for them to figure out which port you plug which Ethernet cable into on initial setup. Bricking them just becomes an exercise in frustration in warranty, and a tax on those people if it's out of the warranty period - and in it as well now that I think about it. What's Grandma gonna do, send it back to Linksys and wait 6 weeks all the while paying for an internet connection she's not able to use ?

      More regulation of these companies' products and massive fines are the only thing that will make them take notice. Any off the shelf router granny buys at a box store should be set up for remote updates to be pushed from a trusted signed source, and those updates should be proactive.

    17. Re:Should have gotten Janit0r. by AmiMoJo · · Score: 1

      If people understood that they would probably be grateful. Unfortunately there are a lot of tech support scams these days and people are worried about doing their banking and shopping online...

      Not worried enough to really do much about it of course.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    18. Re: Should have gotten Janit0r. by Aristos+Mazer · · Score: 1

      If you have a device, it must either subscribe to an auto-update system supplied by the manufacturer or, if you prefer to manage your own device, you take on the responsibility for managing it. Your device is part of the shared ecosystem. Either you buy one that comes with a maintenance plan or you are the maintenance plan... the former for the low-tech folks, the latter for the higher-tech folks.

    19. Re:Should have gotten Janit0r. by Highdude702 · · Score: 1

      A router upgrade would take 30 seconds compared to Windows 2 hours on a ssd.

    20. Re: Should have gotten Janit0r. by barc0001 · · Score: 1

      While I agree with the idea, the chances of that actually happening any time soon are very slim. The public sees a need to maintain cars on a road. They don't see a need to maintain routers for everyone's safety. And companies are in a desperate race to get new shiny things in consumers' hands and those things are more connected and also have new interesting gaping holes in their security. And nobody cares. Legislation has to be written to fix this. And it won't be until something very shitty happens.

    21. Re: Should have gotten Janit0r. by Aristos+Mazer · · Score: 1

      Well then, Slashdot, let's band together and make something shitty happen? "Burn it all down. Maybe they'll care about security in Internet 2.0 (or whatever version marketing says we're up to now)."

  7. Here's some math ... by CaptainDork · · Score: 0

    ... to consider:

    Let's say it takes 30 minutes (being very, very generous here) to do the patch, post the blurb and stuff. Appreciate I'm ignoring the time it takes to locate these puppies.

    100,000 routers X 30 minutes = 3,000,000 router-minutes ÷ 60 = 50,000 router-hours ÷ 24 = 2,083 router-days ÷ 365.25 = 5.7 router-years.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Here's some math ... by Anonymous Coward · · Score: 0

      That poor script must be bored out of it's oh wait.

    2. Re: Here's some math ... by Anonymous Coward · · Score: 0

      Username checks out.

      Riiiight. I'm sure this guy _manually_ patched every single router interactively and doesn't even have the slightest scripting kiddy automation skillz. /s

    3. Re:Here's some math ... by Zaiff+Urgulbunger · · Score: 1

      Plus you haven't factored in the time it take him/her to drive to where the router is and then somehow sneak in, hook up a laptop and to the fix and then sneak out! ;-)

  8. Cheer De Haxx0r Wif De Grey Hat by Anonymous Coward · · Score: 0

    In other news, beauhd still not leet.

    1. Re:Cheer De Haxx0r Wif De Grey Hat by Anonymous Coward · · Score: 0

      beauHD is an SJW.. there's no way he's a hÅ×Ø®

  9. Can the updates run without reboot? by Joe_Dragon · · Score: 1

    Can the updates run without reboot?

    That is the one part of why they don't get updated the down time.

    1. Re:Can the updates run without reboot? by Anonymous Coward · · Score: 1

      RouterOS boots quickly and has failover methods. That stuff is built for ISPs. If you don't have a redundant router that can take over while the other one reboots, you're not serious about avoiding down time anyway.

    2. Re:Can the updates run without reboot? by Anonymous Coward · · Score: 0

      Fuck you joe. Your router will most definitely reboot when it gets hacked and joins the botnet.
      So you can reboot to save the internet the damage due to your laziness or you can reboot once you get hacked.

  10. Could be worse by bobstreo · · Score: 1

    Like if you were "renting/leasing" your router from your ISP and they bricked it as a "favor" for you,

    If you bought your own router:

    1) Disable remote access

    2) Change all the "passwords" you can. Extra points if you can change the admin account to something other than admin.

    3) Get the most recent update from the vendor and apply ir to your device. Repeat step 1 and 2.

    4) Create some local firewall rules, make sure nothing in your network is in an Internet reachable DMZ.

  11. That was my honeypot ... by Anonymous Coward · · Score: 1

    ... insensitive clod!

  12. It would not be hard by jd · · Score: 1

    ...to make a router that was secure against any realistic attack and still offer better throughput than anything being sold today. Reason you don't get that? It costs a little more and has to be modular, not single board.

    People prefer cheap and nasty to quality, every time.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  13. Enough Already! There is no grey here by slacka · · Score: 4, Insightful

    This is the Right Thing To Do! So many times the Goody Two-Shoes so called "white hats" take out the botnets but rather that do this and patch the hacked machines, they just try to disable the current botnet. And surprise, surprise within a few months all the hacked machines are back in a new botnet, more fault tolerant botnet.

    It's almost like these researchers realize that doing what this unsung hero did would hurt there job security. We should all celebrate this Russian hero. We need more like him.

    1. Re:Enough Already! There is no grey here by Anonymous Coward · · Score: 0

      A real Soviet Herooo! Alexey is there!

  14. Like the movie brazil by goombah99 · · Score: 1

    the terrorists screw up the system by fixing things so they work better.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  15. Really curious what the angry ones said by SuperKendall · · Score: 3, Interesting

    I read the article but there was no mention of what the angry replies said... I'd be really curious to find out in what way they were angry, instead of just saying "thanks, but don't do it again".

    It seems like maybe there should be something like statute of limitations, where if an exploit was older than a certain amount it was legal for others to patch it even if it broke systems.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Really curious what the angry ones said by Mistlefoot · · Score: 4, Interesting

      They were angry because they were administering networks remotely and all of a sudden were not able to as their access was disabled as well.

      Imagine you are an incompetent IT doing work remotely and you can't access it anymore. So you have your client login locally to enable that feature again and they read that message to you. Now your client knows you are incompetent too. And then when the client refuses to enable access from outside the network you actually have to leave your desk to do the work. Or find a new customer as you have now been replaced.

  16. By Your Own Logic by Anonymous Coward · · Score: 0

    By your own logic, it would be OK to kill the children of those that refuse to vaccinate their children.

    Somehow, this doesn't sound all that logical or legal, does it?

    This this presumptuous fucktard, and those that support him such as yourself, are performing and advocating criminal activity. Not OK, Shitlord.

    1. Re:By Your Own Logic by TheReaperD · · Score: 1

      No, but killing the stupid parents and vaccinating the children sounds like a plan.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    2. Re: By Your Own Logic by Anonymous Coward · · Score: 0

      The only problem is, how can you know the latest vaccination doesn't also cause cancer in the penal region? If we force all children to be vaccinated we run the risk some fuckwad drug corporation will impose some drug on us they know causes some random problem then they sell us a cure for that

    3. Re: By Your Own Logic by LocalH · · Score: 1

      Vaccinations should be required for all who don't have a compelling medical reason not to receive one (and no, "I don't wanna because someone famous said they were bad" doesn't count, when the actual science supports vaccination).

      Or perhaps if the cause of an outbreak can be narrowed down, if it turns out to be due to lack of herd immunity, then perhaps all those in the area who refused to vaccinate should be charged with bioterrorism?

      --
      FC Closer
    4. Re: By Your Own Logic by Anonymous Coward · · Score: 0

      Wow, you're stupid. Do us all a favor and never vote or have kids

  17. And those that are "outraged", remind me of this: by Anonymous Coward · · Score: 0

    You know what's so elegant about this little game, Jake?
    Nobody knows where the enemy is.
    They don't even know he exists.
    He's in every...one of their heads.
    And they trust him ... ... because they think they are him.

    If you try to destroy him to save them, ...
    they'll destroy you to save him.

    It's beautiful, man.
    You have to admire the opponent's elegance.

    [moves chess piece]
    Check.

  18. Not the sysadmin anybody wants by bjdevil66 · · Score: 1

    In the end, you've had your router hacked - and it probably needs to be reset (or tossed and upgraded).

    So what if the hacker's trying to do the right thing. Would anyone smart trust a random stranger out there "fixing" your router without consent? Wouldn't a black hat just say the same thing - "Fixed your router for you. And oh yeah... you're welcome!" - and slip something malicious in?

    The dude is only accomplishing one thing: Getting even with lazy router owners to help other less lazy owners out. Misguided vigilantism.

    1. Re:Not the sysadmin anybody wants by djinn6 · · Score: 3, Insightful

      You should reset and update your router anyways. Just because this guy didn't install malware, it doesn't mean nobody else did.

      Besides, if this guy didn't get to you, then you would've never noticed your router is vulnerable and the black hats would've had all the time in the world to do damage. But since he did, at least you know there is a problem and can do something about it.

    2. Re:Not the sysadmin anybody wants by Anonymous Coward · · Score: 0

      In the end, you've had your router hacked - and it probably needs to be reset (or tossed and upgraded).

      Still a good end result.

      The alternative is a truly malicious attacker doing far worse.

      Of the two, this guy is - by far - the better one.

    3. Re:Not the sysadmin anybody wants by AmiMoJo · · Score: 1

      Problem is that updates have a cost. I don't mean development, I mean that some percentage of devices will brick. Failed updates, failed flash memory etc. Then some percentage of users will have trouble like a lost configuration that their son or daughter set up and they don't know how to fix.

      As such there is little incentive for manufacturers to advertise the fact that an update is available. As long as it exists they are covered legally, but ideally (for them) no one will actually apply it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  19. No Good Deed ... by Anonymous Coward · · Score: 0

    No good deed goes unpunished, pretty much every time.

  20. When you do the RIGHT thing? by Anonymous Coward · · Score: 0

    When you do the RIGHT thing, you CAN'T be WRONG https://it.slashdot.org/commen...

    * ... & I'm NOT WRONG about that!

    APK

    P.S.=> You make a strong point on the "job security" thing you noted - who do you THINK makes the viruses/malwares/botnets? Non-technical users?? No way. It's "geeks gone bad" CREATING "JOB SECURITY" for themselves (as well as more 'side-money' albeit via thievery hurting others) - it's sad & it's wrong but it is HAPPENING & always has been... apk

  21. Internet devices have 8B attackers possibly by PeterM+from+Berkeley · · Score: 1

    You make an analogy between physical devices and internet devices. Your analogy is dead wrong. Here is why:

    An internet-connect device has potentially billions of attackers. Billions. Literally anyone, anywhere on the planet, any time. To contrast, someone has to show up to your door, car, phone.

    Furthermore, hacking internet devices can be automated, so ONE attacker can potentially attack ALL the devices on the internet that share that vulnerability.

    So your RISK on your internet connected device so far exceeds your risk of any of your physical devices that to make an analogy between the two is nonsensical.

    Last, your unsecured devices presents a RISK to everyone else on the network: you get hacked and now your device is an offensive tool being used against others. This is not at ALL like your door lock.

    So please, never, ever use the analogies you used again.

    That said, I don't advocate bricking devices. I would rather that people acting in defense install patches or disable the device in a reversible way. And I would rather see manufacturers FORCED by laws to provide security for their devices commensurate with the risks they face as internet devices!

    --PeterM