https://fossbytes.com/notorious-lazarus ... x-malware/

This was an article that was forwarded to me by a friend who knows I use Mikrotik devices. I do try to keep everything updated to one of the last two releases. From what I understand of this, it is using a plugin that has already been dealt with several updates ago. Has anyone looked into this at all?

I guess we will find out, since its a new threat...
Just dont let 8291 open to public...

Just dont let 8291 open to public...

... or to a host running Atlassian which might be already compromised by the same exploit.

This doesn't mention a specific exploit, just a port scan. So there is nothing you're really "vulnerable" to, but if your winbox port is reachable by random users you should expect that to change in the future.

It's best to use VPN to manage your routers from outside, but if you don't want to, at least do these simple steps:
1) do not use default admin account, create new one with unique name and strong password and disable the original admin
2) change winbox port to a new one
This will help you greatly against basic bots looking for default port open and also bruteforcing or common password testing using default admin user name.
You still might be vulnerable in case new zero-day exploit is discovered, but having changed the port number, you will probably not be that quickly pwned.
Or even better:
3) search for "port knocking" on this forum on how to setup it so winbox port is closed unless you send a specific sequence of packets to router to open it for that one IP only. It's not as good as VPN but helps a lot to hide the port

Port knocking and address lists. Also add scanners to drop list.

For now, it really doesn't matter. Our network is not accessible from the outside. Not that I have not tried, but we had a bit of a scare a year and a half ago, and I locked it down. I just wanted to being this up, just in case there was a vulnerability. Our network is finally running fairly smooth, and I want to keep it that way.

This phrase on that post:
The report reads, “We are not sure why TCP 8291 is targeted, but we know that the Winbox protocol of the MikroTik Router device works on TCP / 8291 port and is exposed on the Internet.”

Is the group real from North Korea or is supported by Cisco / Unify with friends because Mikrotik is gaining his reputation and sales on the top of others... so they cannot beat Mikrotik in market and do those types to make people "think twice" before buy a Mikrotik device...

I swear i remember an article more than a year ago, about holding the connection open to 8291 and using it to probe Tik Networks.

It was the next "big thing" after Slingshot.

If I remember correctly, there was a vulnerability in ROS. There were two ways of dealing with it. Update it, or close port 8291. I may be wrong about that though. But I do remember the port being vulnerable, and there was an update. But this is something new. At least as far as a I can find out.