Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Mysterious Grey-Hat Is Patching People's Outdated MikroTik Routers (zdnet.com)

Posted by BeauHD on from the just-trying-to-help dept.

An anonymous reader quotes a report from ZDNet: A Russian-speaking grey-hat hacker is breaking into people's MikroTik routers and patching devices so they can't be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned. The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already. "I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions." But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. The vigilante server administrator says he's been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April.

45 of 74 comments (clear)

  1. Not the sysadmin they want.. by Rick+Schumann · · Score: 5, Insightful

    ..but the sysadmin they deserve?
    Regardless, I approve of this. Bravo, Sir.

    1. Re:Not the sysadmin they want.. by ole_timer · · Score: 1

      bravo zulu in the navy...not sure what that means...

      --
      nothing to see here - move along
    2. Re:Not the sysadmin they want.. by Gravis+Zero · · Score: 1, Insightful

      Not the sysadmin they want but the sysadmin they deserve?

      The sysadmin they deserve is Janit0r. Janit0r took devices offline permanently with BrickerBot because people couldn't be bothered to maintain and secure their devices.

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:Not the sysadmin they want.. by K.+S.+Kyosuke · · Score: 1

      The Round-Robin Hood...

      --
      Ezekiel 23:20
    4. Re:Not the sysadmin they want.. by Narcocide · · Score: 4, Insightful

      No, that guy is just a vandal. This guy is a hero.

  2. outraged...but patched by ole_timer · · Score: 1, Interesting

    they were smart enough to login and see the note but the router was still unpatched? maybe that was the bad guys?

    --
    nothing to see here - move along
    1. Re:outraged...but patched by Anonymous Coward · · Score: 1

      They can't log in remotely once he put the note there, so no.

    2. Re:outraged...but patched by Mascot · · Score: 1

      Most people would log in to their own home routers from... home. As in, not remotely.

    3. Re:outraged...but patched by Mascot · · Score: 1

      Oh, wait, I misread. Or rather, misunderstood. Disregard.

    4. Re:outraged...but patched by ole_timer · · Score: 1

      so would the bad guys...cue twilight zone music...

      --
      nothing to see here - move along
    5. Re:outraged...but patched by Narcocide · · Score: 2

      That was my first thought too, but it could also just be undereducated "power users" who had just lost remote access to their LAN without realizing the security implications of everyone else having access, too.

  3. Ah yes, outraged... by Anonymous Coward · · Score: 2, Informative

    When people can't admit they were morons. They are the ones who ran unsecured hardware and didn't bother patching it. They should be thanking him, he may have prevented many actual scumbags from exploiting their hardware.

    1. Re:Ah yes, outraged... by TheReaperD · · Score: 3, Interesting

      I remember once that I switched a bad security setting with the intention of switching it right back. Well, I forgot to switch it back. Thankfully a guy from 4chan hacked my system and left me a note to fix it without doing any damage. Left him a thank you note. If you're bitching about this, you're an ungrateful asshole.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
  4. BeautifulOFHeaven by tanveer1979 · · Score: 1

    The Hero we need, but do not deserve

    --
    My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
    FB : https://www.facebook.com/TanveersPhotography
  5. Should have gotten Janit0r. by Gravis+Zero · · Score: 2, Interesting

    I'll say it plainly, if you do not maintain your devices then anyone should be free to brick them. The obvious argument is "but it's not yours!" but this disregards that like an unvaccinated child, it puts everyone else at risk. The only alternative to this is to hack the devices so that they permanently DoS the manufacturer and sellers of the device. The situation will not improve until companies are forced to make devices secure.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re: Should have gotten Janit0r. by Aristos+Mazer · · Score: 1

      If it is a zero day then thereâ(TM)s no âoefail to maintain.â This was fixable back in April but these people did not apply. Thatâ(TM)s a failure to maintain.

    2. Re:Should have gotten Janit0r. by I-am-a-Banana · · Score: 2

      This is like saying if I put my bike in my backyard, go in the house to take a leak and find my bike stolen, it is completely my fault for it being stolen and anyone should be free to steal it. This is BS. There may be many reason why an update was not performed. Two wrongs do not make a right. Making changes to someone's property without their permission is wrong. Period.

    3. Re: Should have gotten Janit0r. by barc0001 · · Score: 1

      So what's the line? 1 week? 1 month? 3 months? Did this get a lot of attention? Would people have reasonably heard about it by now?

    4. Re:Should have gotten Janit0r. by quonset · · Score: 2, Insightful

      I'll say it plainly, if you do not maintain your devices then anyone should be free to brick them.

      I'll say it plainly, if you do not lock every single door and bolt down your windows then anyone should be free to steal your stuff.

      I'll say it plainly, if you do not lock your car then anyone should be free to steal it.

      I'll say it plainly, if you do not hold onto your phone every second you are out then anyone should be free to steal it.

    5. Re:Should have gotten Janit0r. by epyT-R · · Score: 3, Insightful

      Theft is not the same thing as breaking and entering so those are bad analogies. In this case, he fixed the issue you couldn't be bothered to fix for the sake of everyone else. It's still breaking and entering, but more like a neighbor breaking in to shut the gas off before your house destroys the neighborhood. I'd look at it as a favor...then I'd wipe the device and reflash and/or replace as necessary.

    6. Re: Should have gotten Janit0r. by djinn6 · · Score: 1

      By bricking the devices, it'll cost manufacturers a bunch of money on warranty replacements and hopefully force them to write more secure software in the future, or at least put in some mechanism for periodic updates.

    7. Re: Should have gotten Janit0r. by Aristos+Mazer · · Score: 1

      I bet we could work up a reasonable schedule. Thereâ(TM)s plenty of regulatory frameworks from automotive standards, zoning codes, and various industries. It would take some study, but I think we could identify a timeframe â" you run a device, itâ(TM)s your job to keep it up to spec, no different than a car passing annual inspection.

    8. Re: Should have gotten Janit0r. by barc0001 · · Score: 1

      > you run a device, itâ(TM)s your job to keep it up to spec, no different than a car passing annual inspection.

      The problem with that line of thinking is that many devices are seen as appliances in the minds of many. This MikroTik one is a bit more of a commerical router, but similar vulnerabilities have been discovered in many off the shelf routers grandmas buy at Best Buy. It's simply not reasonable to expect your average Joe or Jane to keep the router firmware up to date when it was probably a Herculean struggle for them to figure out which port you plug which Ethernet cable into on initial setup. Bricking them just becomes an exercise in frustration in warranty, and a tax on those people if it's out of the warranty period - and in it as well now that I think about it. What's Grandma gonna do, send it back to Linksys and wait 6 weeks all the while paying for an internet connection she's not able to use ?

      More regulation of these companies' products and massive fines are the only thing that will make them take notice. Any off the shelf router granny buys at a box store should be set up for remote updates to be pushed from a trusted signed source, and those updates should be proactive.

    9. Re:Should have gotten Janit0r. by AmiMoJo · · Score: 1

      If people understood that they would probably be grateful. Unfortunately there are a lot of tech support scams these days and people are worried about doing their banking and shopping online...

      Not worried enough to really do much about it of course.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re: Should have gotten Janit0r. by Aristos+Mazer · · Score: 1

      If you have a device, it must either subscribe to an auto-update system supplied by the manufacturer or, if you prefer to manage your own device, you take on the responsibility for managing it. Your device is part of the shared ecosystem. Either you buy one that comes with a maintenance plan or you are the maintenance plan... the former for the low-tech folks, the latter for the higher-tech folks.

    11. Re:Should have gotten Janit0r. by Highdude702 · · Score: 1

      A router upgrade would take 30 seconds compared to Windows 2 hours on a ssd.

    12. Re: Should have gotten Janit0r. by barc0001 · · Score: 1

      While I agree with the idea, the chances of that actually happening any time soon are very slim. The public sees a need to maintain cars on a road. They don't see a need to maintain routers for everyone's safety. And companies are in a desperate race to get new shiny things in consumers' hands and those things are more connected and also have new interesting gaping holes in their security. And nobody cares. Legislation has to be written to fix this. And it won't be until something very shitty happens.

    13. Re: Should have gotten Janit0r. by Aristos+Mazer · · Score: 1

      Well then, Slashdot, let's band together and make something shitty happen? "Burn it all down. Maybe they'll care about security in Internet 2.0 (or whatever version marketing says we're up to now)."

  6. Re:100,000 routers? by ole_timer · · Score: 2

    they've probably sold millions of devices in the last 20+ years...

    --
    nothing to see here - move along
  7. Can the updates run without reboot? by Joe_Dragon · · Score: 1

    Can the updates run without reboot?

    That is the one part of why they don't get updated the down time.

    1. Re:Can the updates run without reboot? by Anonymous Coward · · Score: 1

      RouterOS boots quickly and has failover methods. That stuff is built for ISPs. If you don't have a redundant router that can take over while the other one reboots, you're not serious about avoiding down time anyway.

  8. Could be worse by bobstreo · · Score: 1

    Like if you were "renting/leasing" your router from your ISP and they bricked it as a "favor" for you,

    If you bought your own router:

    1) Disable remote access

    2) Change all the "passwords" you can. Extra points if you can change the admin account to something other than admin.

    3) Get the most recent update from the vendor and apply ir to your device. Repeat step 1 and 2.

    4) Create some local firewall rules, make sure nothing in your network is in an Internet reachable DMZ.

  9. That was my honeypot ... by Anonymous Coward · · Score: 1

    ... insensitive clod!

  10. It would not be hard by jd · · Score: 1

    ...to make a router that was secure against any realistic attack and still offer better throughput than anything being sold today. Reason you don't get that? It costs a little more and has to be modular, not single board.

    People prefer cheap and nasty to quality, every time.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  11. Enough Already! There is no grey here by slacka · · Score: 4, Insightful

    This is the Right Thing To Do! So many times the Goody Two-Shoes so called "white hats" take out the botnets but rather that do this and patch the hacked machines, they just try to disable the current botnet. And surprise, surprise within a few months all the hacked machines are back in a new botnet, more fault tolerant botnet.

    It's almost like these researchers realize that doing what this unsung hero did would hurt there job security. We should all celebrate this Russian hero. We need more like him.

  12. Like the movie brazil by goombah99 · · Score: 1

    the terrorists screw up the system by fixing things so they work better.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  13. Really curious what the angry ones said by SuperKendall · · Score: 3, Interesting

    I read the article but there was no mention of what the angry replies said... I'd be really curious to find out in what way they were angry, instead of just saying "thanks, but don't do it again".

    It seems like maybe there should be something like statute of limitations, where if an exploit was older than a certain amount it was legal for others to patch it even if it broke systems.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Really curious what the angry ones said by Mistlefoot · · Score: 4, Interesting

      They were angry because they were administering networks remotely and all of a sudden were not able to as their access was disabled as well.

      Imagine you are an incompetent IT doing work remotely and you can't access it anymore. So you have your client login locally to enable that feature again and they read that message to you. Now your client knows you are incompetent too. And then when the client refuses to enable access from outside the network you actually have to leave your desk to do the work. Or find a new customer as you have now been replaced.

  14. Re:By Your Own Logic by TheReaperD · · Score: 1

    No, but killing the stupid parents and vaccinating the children sounds like a plan.

    --
    "Be particularly skeptical when presented with evidence confirming what you already believe." -
  15. Not the sysadmin anybody wants by bjdevil66 · · Score: 1

    In the end, you've had your router hacked - and it probably needs to be reset (or tossed and upgraded).

    So what if the hacker's trying to do the right thing. Would anyone smart trust a random stranger out there "fixing" your router without consent? Wouldn't a black hat just say the same thing - "Fixed your router for you. And oh yeah... you're welcome!" - and slip something malicious in?

    The dude is only accomplishing one thing: Getting even with lazy router owners to help other less lazy owners out. Misguided vigilantism.

    1. Re:Not the sysadmin anybody wants by djinn6 · · Score: 3, Insightful

      You should reset and update your router anyways. Just because this guy didn't install malware, it doesn't mean nobody else did.

      Besides, if this guy didn't get to you, then you would've never noticed your router is vulnerable and the black hats would've had all the time in the world to do damage. But since he did, at least you know there is a problem and can do something about it.

    2. Re:Not the sysadmin anybody wants by AmiMoJo · · Score: 1

      Problem is that updates have a cost. I don't mean development, I mean that some percentage of devices will brick. Failed updates, failed flash memory etc. Then some percentage of users will have trouble like a lost configuration that their son or daughter set up and they don't know how to fix.

      As such there is little incentive for manufacturers to advertise the fact that an update is available. As long as it exists they are covered legally, but ideally (for them) no one will actually apply it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  16. Re:Here's some math ... by Zaiff+Urgulbunger · · Score: 1

    Plus you haven't factored in the time it take him/her to drive to where the router is and then somehow sneak in, hook up a laptop and to the fix and then sneak out! ;-)

  17. Re: By Your Own Logic by LocalH · · Score: 1

    Vaccinations should be required for all who don't have a compelling medical reason not to receive one (and no, "I don't wanna because someone famous said they were bad" doesn't count, when the actual science supports vaccination).

    Or perhaps if the cause of an outbreak can be narrowed down, if it turns out to be due to lack of herd immunity, then perhaps all those in the area who refused to vaccinate should be charged with bioterrorism?

    --
    FC Closer
  18. Internet devices have 8B attackers possibly by PeterM+from+Berkeley · · Score: 1

    You make an analogy between physical devices and internet devices. Your analogy is dead wrong. Here is why:

    An internet-connect device has potentially billions of attackers. Billions. Literally anyone, anywhere on the planet, any time. To contrast, someone has to show up to your door, car, phone.

    Furthermore, hacking internet devices can be automated, so ONE attacker can potentially attack ALL the devices on the internet that share that vulnerability.

    So your RISK on your internet connected device so far exceeds your risk of any of your physical devices that to make an analogy between the two is nonsensical.

    Last, your unsecured devices presents a RISK to everyone else on the network: you get hacked and now your device is an offensive tool being used against others. This is not at ALL like your door lock.

    So please, never, ever use the analogies you used again.

    That said, I don't advocate bricking devices. I would rather that people acting in defense install patches or disable the device in a reversible way. And I would rather see manufacturers FORCED by laws to provide security for their devices commensurate with the risks they face as internet devices!

    --PeterM