Which RouterOS version was installed on your router? Was there a secure username and password configured on your router? Was device protected by firewall?
It is confirmed that this was another case of hacked router due to a insecure firewall configuration in combination with old RouterOS version (one which is vulnerable due to a Winbox related problem):
In either case, you have not stated how external access was permitted.
The password may not be unique, there could be a number of reasons.
The fact that you simply updated the firmware tells me you havent read a single security thread on these topics.
Suffice to say, the best bet is to use netinstall and to use the latest firmware and a complicated but different password.
What do you mean? Is there remote access to ports 80 and/or 8291 to your router?
(the default firewall does not allow that, but maybe after your setup it does)
In almost EVERY MikroTik Router I have been asked to remotely install MOAB the Firewall was reconfigured from default and a security risk … many of these were fairly large corps who have VERY poorly trained techs.that are very good in copy past procedure without understanding the implications in any way.— Its no wonder that so many get hacked.
My concern is that this latest exploit could make the news cycle again. MikroTik’s documentation is very poor and does little to teach security best practices. We can blame customers for not becoming experts, but that will not fix MikroTik’s reputation. If many of your customers are blowing their legs off, its best to do something about it. MikroTik response is to rely on resellers and trainers to fix everything. The same ones selling other brands!
Why not take the bull by the horns, and just own your own product communication channel? Why not educate your busy and distracted customers with the best documentation on the planet?
What is missing, is the silver spoon with which to feed the non-it folks like myself that may not know better.
For the rest of you that are IT trained there is no excuse and shame on you for actually purporting to be IT admins and taking peoples money.
Port 80 was closed, but 8291 was open.
In any case, now the login / password has been changed, the rules for blocking winbox and capsman have been added.
We also went away from the main question, how did we get into the router, which did not have vulnerabilities, to pick up a password is not an easy task. This password may have entered the password database for busting …
And why nobody talks about API ports? These ports also allow you to log in, right?
You did not answer the question if your router was open to API, telnet, winbox etc from the internet.
That presumably was the case. Or there was some system on your local network that was hacked and from there connections to your router were possible.
If not one of those, the step of picking a password is not reached.
I found this “malware” too in one of my customers RB. Routerboard was updated and management ports was blocked to internet. But they had hacked CCTV system.
What do you mean by updated… if one simply updated to the lastest firmware via a standard update then the router is still most likely in a hacked state.
As per clear instruction one should use netinstall for a completely clean restart (and not use any backup files either that may be contaminated).