Nothing is safe!

Whether you're Cisco, Juniper, Mikrotik, Microsoft or Apple - Humans are writing code and we all get it wrong. I've read the topic through and I do think Mikrotik could do more (later) but I think some posters have taken a base config of a Mikrotik device, put it in production (possibly across their entire estate) and then carried on with their next task and not really paid much attention to keeping that estate 'live' and current. Acknowledge Mikrotik - once these disclosures hit they're not scrambling to release fixes - they're already done, there are so many vendors out there who don't even have patches for vulnerabilities or that will charge you the earth to stay subscribed just so you can download patches for stuff you paid for in the first place.

Anyway
1. Always change the default password
2. Change the default username
3. Stop services you don't use (SSH, Telnet, API, API-SSL) etc. IP->Services
3a. Neighbors
3b. Bandwidth Test
3c DNS remote requests
3d etc.
4. For the services you do use, move them to a non-standard ports : HTTP : 20080, Winbox 20081, etc
5. Consider stopping anything that is insecure (http, API, FTP, etc)
6. Put some default rules in for input->block, forward->block and then work back from there with allow rules
7. Implement a port-knocking system for the ports you do use
8. Don't treat this as an exhaustive list!
9. Once you've got a great config then do an 'Export file=MyDefaultConfig' and apply it to everything going forwards, improving as you go

There are lots of resources out there for hardening *all* firewalls and they start off like the above. There are further resources out there for Mikrotik.

I think if you're going to have a lot of devices out there that you manage then you need to have started with some of the above in mind. If you want a good starter document then look at the PCI compliance SAQ D form - this is a big long list of things you would do to harden your network against credit card theft but a lot of it is good practice if you want to secure your network in general.

Mikrotik have offered : if you're unsure about activity on your device, email them, they'll look into it. I bet you they'll do that whether you have proof of ownership or not, how many other vendors will do that for you.

@Mikrotik - Netinstall is hard work. Pressing that stiff button on 500 devices and uploading a default config can be hit and miss. Lots of tutorials out there bout disabling network cards and such just to make it work, can we improve this ?
@Mikrotik - A custom repository option for upgrades would be great.
@Mikrotik - If you don't already list CVEs addressed in the changelog files then that would help us

I know that's probably not a massive help but security is a never-ending process these days!

TL;DR. Centralization in security information helps Mikrotik every bit as it does its existing customers, prospective customers and the broader community.

Mikrotik need to be much more direct and centralized about even the very basics, like what specific vulnerabilities have been fixed and when (we can only hope for mitigation and workaround info).

This is just one of the reasons centralized and dated databases like CVE numbers, and why many other software and networking vendors numbered and versioned security update lists, exist. So, that they are trivially accessible, can be referenced directly, remove massive confusion from different sources and minimize both customer anxiety and broader concerns right now, let alone in future.

At the moment any precise security information is in a forum post, very often not even in changelogs. Yet internally you must keep a log of security fixes?

For example, in almost the same period of time, remote access security issues have blown up in the media around:

• SMB service/NetBIOS messages
• unsecured external web services
• web service vulnerabilities
• aggressive port scanning against Winbox ports
• Hajime IoT botnet/worm
• Slingshot malware and spyware - one of the most sophisticated spyware platforms ever discovered in the wild (meaning it must be a state actor) and to date it only affects Mikrotik devices

These are not necessarily the same underlying security issues, but due to widespread reporting confusion - all in different languages too - and, unsurprisingly, some actual hysteria abounds!

On top of that, there are even more risks. Existing known attackers are often only using older vulnerabilities yet have the potential to upgrade to use new ones, e.g. Slingshot or variants have not been seen attempting to use the SMB vulnerability.

It is notable that there can be more specific information about Mikrotik device security in some journalist articles than there is from Mikrotik itself, e.g. the the one from VirusGuides.

All of this now or in future could even constitute a directed or careful attack against Mikrotik with no real indication of how further it could scale. How best to defend yourself?

No matter how small an organisation, a simple static HTML page and references to CVE or security update IDs in changelogs, for example, cannot be that hard to maintain since you already have all that information.

In addition, there's a new Mirai variant available spreading over. Dropbear ssh server listens at port 62508/tcp, an instance of busybox+tcpdump+libpcap and a startup script for dropbear are in the file system.

this will block the winbox bruteforce attempt

add action=drop chain=input comment="drop winbox brute forcers" dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=\
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="drop winbox brute forcers" connection-state=new dst-port=8291 \
protocol=tcp

@Mikrotik - Netinstall is hard work. Pressing that stiff button on 500 devices and uploading a default config can be hit and miss. Lots of tutorials out there bout disabling network cards and such just to make it work, can we improve this ?

Hopefully, you are aware that on a working router you can trigger netinstall with /system routerboard settings set boot-device=try-ethernet-once-then-nand; then rebooting. Much easier than pushing button, especially if router is located up a tower.

The disabling network cards issue has to do with treatment of Windows OS to any BOOTP protocol server when multiple interfaces are active, not under MikroTik's control.

Hi again,

We have a bunch of Mikrotiks with OS version higher than vulnerable one but all of them are still infected.

Even after "update FW" -> "reboot" -> "change password".







\


So even with the 6.41.3 all our devices are still infected.

Please respond ASAP and provide us instructions on how to remove all this shit from our Mikrotiks.

I can upload this /rw/info file if you need it, virustotal analysis shows nothing.

Good morning random12, could you make the package or access the console of RouterOS?
I would also like to verify this in my own.
Please email me the procedures.

Thank you very much in advance.

what happen when device infected ? I read post's but cant see what this infection does to the equipment.

Normis,

Is it also true to say that using net install with any version will also remove the bad files? Obviously reinfection is possible below 6.38.5, but files that were mentioned from the console output with special npk package, would those be removed using net install specifically ?

How to detect and cure?

- Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.

what happen when device infected ? I read post's but cant see what this infection does to the equipment.

The infection makes the device part of a botnet that will infect other devices and also can receive instructions
from the creator to do whatever he likes.

Hi:
I use vpn (ipsec or sstp) and i can only access after vpn enabled.

Thank you very much for the concerns!
To avoid countless topics that are partially related to the original problem, we decided to lock the topic.

Checkup list to make sure you are safe:
* MikroTik RouterOS version after (2017-Mar-09), 6.37.5/6.38.5 and higher.
* Firewall for "www" service (default port 80).

More information about the issue in the original post,
viewtopic.php?f=21&t=132499#p650812

If you have any issues, contact MikroTik support for help (support@mikrotik.com).