MikroTik routers Hijacked by botnet

inseek · January 23, 2025, 3:39pm

It was just brought to my attention but I am not finding a word from Mikrotik about this:

thehackernews.com/2025/01/13000-mikrotik-routers-hijacked-by.html

Apparently, it is just 2 days old discovery and details are scarce.

chechito · January 23, 2025, 3:43pm

that “news” arised since January 14

i think is mostly click-bait

inseek · January 23, 2025, 3:59pm

Well, knowing that my network is “mostly” protected is not the acceptable state for me

Knowing that there were multiple vulnerabilities exploited in Miktotik devices in the recent years makes me jump once I read news about new issues affecting Mikrotik…I own multiple devices from this vendor so I am obviously interested to know that these are reasonably secure and the manufacturer takes all necessary steps to avoid situations like this.

jaclaz · January 23, 2025, 4:08pm

Details are not scarce, they are not existing.

That routers with credentials admin/blank (or admin/admin and similar) can be easily accessed (or bruteforced for simple, common passwords) is not “news”, and the referenced CVE (from 2023) is founded on the same basic issue, from its description:
https://nvd.nist.gov/vuln/detail/CVE-2023-30799

Description

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and > authenticated > attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system.

(highlighting is mine)

Whilst the privilege escalation was (is) only possible on 6.49.7 and earlier, the problem with user “admin” and no or easily guessable password remains if users does not change.

The good Mikrotik guys started replacing admin/blank with admin/ to “force” users to better protect users setups, but nothing can be done for older devices and we have reports of routers compromised within seconds/minutes from being connected to the internet “accidentally” when not in a more secure login state, last example (jFYI):
http://forum.mikrotik.com/t/device-got-hacked-1-min-after-connected-to-internet/178933/1

inseek · January 23, 2025, 4:29pm

That’s good, then! I keep all my devices updated/patched and not directly accessible from Internet, with default account disabled.

rextended · January 23, 2025, 4:32pm

Still falling everytime into the same stupid speeches.
Are you able to understand well what is written???

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue.
A remote > and authenticated > attacker can escalate privileges > from admin to super-admin > on the Winbox or HTTP interface.
The attacker can abuse this vulnerability to execute arbitrary code on the system.

Do you know what it means to be already authenticated as admin???
Who cares about vulnerability when those who MUST be authenticated can already do whatever the f–k they want,
like install old RouterOS version vulnerable to x, y and z???

Wrong concern. How does an attacker have REMOTE (or local) access as ADMIN???

So…
With these simple considerations, therefore, there is NO secure version of RouterOS,
because if an INCOMPETENT administrator leaves the ports open, does not delete “admin” and sets a stupid password,
any attacker can reinstall a vulnerable version of RouterOS and hack the router.

BartoszP · January 23, 2025, 5:50pm

http://forum.mikrotik.com/t/hot-take-on-botnets-how-do-you-secure-your-mikrotik-while-setting-it-up/181310/1

Author of the news mentioned in quoted topic (not the author of the topic) busily hides how old articles are referenced to “prove” the fact of article existence and makes an imperssion that it’s something new => clickbite.

inseek · January 23, 2025, 5:57pm

Still falling everytime into the same stupid speeches.
Are you able to understand well what is written???

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue.
A remote > and authenticated > attacker can escalate privileges > from admin to super-admin > on the Winbox or HTTP interface.
The attacker can abuse this vulnerability to execute arbitrary code on the system.

Do you know what it means to be already authenticated as admin???
Who cares about vulnerability when those who MUST be authenticated can already do whatever the f–k they want,
like install old RouterOS version vulnerable to x, y and z???

Wrong concern. How does an attacker have REMOTE (or local) access as ADMIN???

So...
With these simple considerations, therefore, there is NO secure version of RouterOS,
because if an INCOMPETENT administrator leaves the ports open, does not delete "admin" and sets a stupid password,
any attacker can reinstall a vulnerable version of RouterOS and hack the router.

So, the current version 6.49.17 and 7.17 of ROS are presumably not affected by these previously discovered vulnerabilities assuming the default admin user is disabled and replaced with once with complex password, management access to router restricted to specific private IPs (so no SSH/Winbox from WAN), firewall is properly configured, unused ports and services disabled, inter-VLAN traffic restricted...

Larsa · January 23, 2025, 6:13pm

Yes, that’s the correct understanding. It’s just as protected as a router should be by default. Opening services to the internet involves major risks, bug or not. This applies to all types of routers, not just Mikrotik.

rextended · January 23, 2025, 7:26pm

Exactly but are ok from 6.49.8 and up, 7.13 and up.
On 7.17 downgrade to some hackable version are forbidden until device-mode is not changed,
but if you downgrade to 7.13…7.16 you can still downgrade again to 6.x or 7.x
The downlimit is the version shipped with the device (is also a limit for netinstall).

Often the most exploited bug is the same password in router 7.17 equal to the password the user had in 6.44…