Does anyone know if a fully updated Mikrotik Device is going to be vulnerable to this?

Hoov · December 23, 2019, 5:21am

https://fossbytes.com/notorious-lazarus-group-unleashes-first-linux-malware/

This was an article that was forwarded to me by a friend who knows I use Mikrotik devices. I do try to keep everything updated to one of the last two releases. From what I understand of this, it is using a plugin that has already been dealt with several updates ago. Has anyone looked into this at all?

Zacharias · December 23, 2019, 5:52am

I guess we will find out, since its a new threat…
Just dont let 8291 open to public…

mkx · December 23, 2019, 6:21am

… or to a host running Atlassian which might be already compromised by the same exploit.

R1CH · December 24, 2019, 11:12pm

This doesn’t mention a specific exploit, just a port scan. So there is nothing you’re really “vulnerable” to, but if your winbox port is reachable by random users you should expect that to change in the future.

r00t · December 24, 2019, 11:52pm

It’s best to use VPN to manage your routers from outside, but if you don’t want to, at least do these simple steps:

do not use default admin account, create new one with unique name and strong password and disable the original admin
change winbox port to a new one
This will help you greatly against basic bots looking for default port open and also bruteforcing or common password testing using default admin user name.
You still might be vulnerable in case new zero-day exploit is discovered, but having changed the port number, you will probably not be that quickly pwned.
Or even better:
search for “port knocking” on this forum on how to setup it so winbox port is closed unless you send a specific sequence of packets to router to open it for that one IP only. It’s not as good as VPN but helps a lot to hide the port

gotsprings · December 26, 2019, 3:32pm

Port knocking and address lists. Also add scanners to drop list.

Hoov · December 28, 2019, 5:29am

For now, it really doesn’t matter. Our network is not accessible from the outside. Not that I have not tried, but we had a bit of a scare a year and a half ago, and I locked it down. I just wanted to being this up, just in case there was a vulnerability. Our network is finally running fairly smooth, and I want to keep it that way.

ingdaka · December 28, 2019, 9:38pm

This phrase on that post:
The report reads, “We are not sure why TCP 8291 is targeted, but we know that the Winbox protocol of the MikroTik Router device works on TCP / 8291 port and is exposed on the Internet.”

Is the group real from North Korea or is supported by Cisco / Unify with friends because Mikrotik is gaining his reputation and sales on the top of others… so they cannot beat Mikrotik in market and do those types to make people “think twice” before buy a Mikrotik device…

gotsprings · December 29, 2019, 2:53pm

I swear i remember an article more than a year ago, about holding the connection open to 8291 and using it to probe Tik Networks.

It was the next “big thing” after Slingshot.

Hoov · January 2, 2020, 5:17am

If I remember correctly, there was a vulnerability in ROS. There were two ways of dealing with it. Update it, or close port 8291. I may be wrong about that though. But I do remember the port being vulnerable, and there was an update. But this is something new. At least as far as a I can find out.