Hi guys I’ve heard some reports of a Mikrotik infecting botnet going around.Mikrotik have seemingly fixed these vulnerabilities in later versions.
Just a heads up to those in the forum.
https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/mikrotik-botnet/
The Mikrotik RouterOS-Based Botnet
A newly discovered botnet targets TCP port 8291 and vulnerable Mikrotik RouterOS-based devices. MikroTik, a Latvian hardware manufacturer, products are used around the world and are now a target of a new propagating botnet exploiting vulnerabilities in their RouterOS operating system, allowing attackers to remotely execute code on the device. Such devices have been making unaccounted outbound winbox connections. Radware’s Emergency Response Team (ERT) has spotted an increase in malicious activity following Kaspersky’s publication about the Slingshot APT malware that infected Mikrotik routers. It is believed this botnet is part of the Hajime botnet. Radware is witnessing the spreading mechanism going beyond port 8291 into others and rapidly infecting other devices other than MikroTik (such as AirOS/Ubiquiti).
Recommendations
Mikrotik recommends to block port 80/8291 (Web/Winbox) with a web application firewall and upgrade RouterOS devices to v6.41.3 (or at least, above v6.38.4).