Owners of the globally popular and cheap MikroTik brand of home routers inadvertently were involved in the attempt to take down Russian search engine giant Yandex in September, when the MikroTik-based Mēris botnet was used in a record-breaking DDoS attack.
Before that, MikroTik was a common command and control device for TrickBot. Throughout, it has been a target for cryptominers and other miscellaneous threats. Researchers at Eclypsium have taken the first steps to map and classify the globally vulnerable population of MikroTik, and develop scripts security staff can use to detect whether devices are compromised.
Mapping globally visible MikroTik devices, excluding honey pots, Eclypsium determined there were around 2 million worldwide, with the U.S. likely the eighth largest market for the products (China being the largest). Of those 2 million devices, researchers told SC that around 1.8 million have WinBox, the administration tool for MikroTik, visible to the internet. That is interesting because it does not ship that way. In the vast majority of the cases they are likely reconfigured by malicious actors.
"With these devices, when you compromise them, it doesn't necessarily mean that the router has modified firmware, or that you've got an implant going on," said Scott Scheferman, principal strategist at Eclypsium. "Rather it means that the device has been largely misconfigured to do bad things, because they're so powerful because they have such high CPU processing power and a diverse set of capabilities already built-in."
The DDoS attack, for example, was not being run off of modified firmware. Rather, it was being run using either legitimate-but-downgraded firmware that was already installed.
Home router security, regardless of brand, has always been a concern. Users rarely update firmware, devices ship with default passwords, and since routers have a long shelf life, problematic devices linger for years — this is in no way exclusively a MikroTik problem. But MikroTik has had four key vulnerabilities exposed in its RouterOS in recent years that makes it particularly attractive. Only WinBox running on MikroTik's RouterOS version 6.45.6 or earlier is vulnerable to the attacks used by the botnet. By Eclypsium's count, that represents only 12.5% of the ecosystem, many of which are also vulnerable to SSH issues exploited by the botnet.
For security staff, this is more than an issue of a botnet on home office users' systems. This could be the beginning of any number of issues.
“The real story here is that these devices are super powerful and can be used for any number of objectives, tactics and resulting impacts, whether it's dropping ransomware payloads, cryptominers, or stealing two factor authentication creds and selling those,” Scheferman said. “What can't you do?"