So what?
Only TP-LINK devices are listed.
If the attack went through a downloaded malicious file/virus/whatever, the advisory should have included that.
I donât think so. When a device is attacked from internet using telnet or ssh, that is not listed either.
It is the AP that is vulnerable, that it requires a vulnerable PC as well is not important, and in some cases may not even be the attack vector (e.g. when the AP is in a restaurant, a client may infect it).
Protecting the perimeter used to be the gold standard, but we now invite many IoT devices into the LAN side, and these phone home and can act as proxys to gain access to any device that allows access from the LAN.
That's one of the main reasons for using a vlan for your untrusted "IoT" devices, and to prevent that untrusted LAN from having management access to your infrastructure devices (routers, switches, firewalls, servers, etc.)
In a business, user PCs are placed in a vlan that is not "trusted" to have access to the management interfaces of infrastructure devices either.
But people running 10 year old ROS are probably not using vlans and may have never even set a password on the router. Or the network admin that did set them up has left and noone else knows what the password is and no one wants to touch/break it.
1 Like
Well, you two (both pe1chl and Buckeye) did not convince me.
I doubt that the GRU/APT28 agents/hackers traveled around with a "hacking device" and connected to "random" wifi's, I still believe that this attack came from the internet.
And if instead it was a java/javascript/malware attacking"from the inside" there should be a virus/malware report.
Would that be so if the âinsideâ malware was downloaded after, say, phishing?
The original linked advice mentions only CVE-2023-50224 in relation to TPLink with no specific vulnerability mentioned for Mikrotik or other devices. Under the circumstances, it seems unlikely they would bother to mention social engineering as an attack vector; that goes without saying for all sorts of attacks.
TPLink has responded to Tomâs that the affected devices are out of maintenance. Even so, they have developed patches for some of the older models, (if only anyone will apply them).
There would have been an article similar to this (old) one (example only not related to this):
https://www.ncsc.gov.uk/news/uk-cyber-experts-warn-of-targeted-phishing-attacks-from-actors-based-in-russia-and-iran
âwould have beenâ
That is an assertion not a fact.
The original article is about routers. Your exampleâs exact topic is phishing. The most likely vector is as discussed, unpatched older versions and products, probably with exposed interfaces, while internal access cannot be ruled out. The attacks are described by NCSC as opportunistic.
Their primary recommended defences are secure management interfaces, current fully patched software and modern hardware.
You asked a question with "would", I provided a possible answer that contains "would", all is hypothetical.
False equivalence.
Residential proxy networks acting as bots seem to be a thing nowadays.
(Apparently sometimes from pre compromised android tv boxes)
If you are the operator (or client of the operator) operating a group of these, you can presumably get
inside people's networks and find more powerful devices that you can (manually??) compromise and gain access too for other useful things (as well as ddos).
Also they can be used as agent in DDoS attacks. A compromised WiFi AP may seem harmless but it can connect to a control server to receive instructions what traffic to send to which IP addresses on the internet. Lots of compromised devices on home internet connections can still amount to a large DDoS and are difficult to block.
I do not fully agree with your arguments. There are some ancient protocols that lack modern security features (e.g. tenet does not have transport encryption). That makes them unsuitable to use them over untrusted connections. However, even if you exposed that service to the internet, there should be no way to use it to circumvent access limitations!
Yes, it is reasonable to limit your attack surface as much as possible. But in a modern world there simply is no "safe intranet" vs. "unsafe internet" anymore (if there actually ever was something like that). As a customer, it is my expectation that Mikrotik provides hardened and secured implementations of all services that are running in their software stack.
Do I expose telnet, webfig or winbox? No, currently I do not. But there are others that I do expose: e.g. IPSec, Wireguard, and SSH (limited to key authentication).
The hard reality is that all of those authentication bypass paths that have occurred in the past decade in RouterOS revolved around having access to the WebFig or WinBox port and then the possibility to exploit bugs (and design errors) in the service behind it. And that isnât only true for RouterOS, it also happens in other brands of routers. And it has also happened in SSH servers, I think not in the one that RouterOS uses, but still.
It is never wise to expose these ports to the open internet, at least you should have some form of filtering like a list of allowed source IP, and better a VPN. You still expose yourself to bugs in the VPN, but when using a well-established VPN like IPsec the chances are less that it gets hacked than thise cobbled-together web- or API services.