MikroTik Router's 200, 00 vulnerability hacker inject Crypto
mining Malware
Security
research proof of Concept of Winbox Critical Vulnerability (CVE-2018-14847) found
MikroTik routers more than 200,000 backdoor access to the device version. Malware
campaigns have compromised more than 210,000 routers from Latvian network
hardware provider MikroTik across the world
What is MikroTik?
According
to the official website, MikroTik is a Latvian company which was founded in
1996 to develop routers and wireless ISP systems. MikroTik now provides
hardware and software for Internet connectivity in most of the countries around
the world. RouterOS is the operating system of most MikroTik devices. The
vulnerability affects all versions of RouterOS from 6.29 (release date:
2015/28/05) to 6.42 (release date 2018/04/20)
The hacker
easy exploiting a vulnerability in the Winbox application of MikroTik router that
was discovered in April this year and patched within a day of its discovery, Security
flaw can potentially allow an attacker to gain unauthenticated, remote attacker
administrative access to any vulnerable MikroTik router.
Malware
campaigns that infected 25,500 and 16,000 MikroTik routers, mainly in Moldova,
with malicious crypto currency mining code from infamous CoinHive service.
Targeting
networking devices in Brazil, where a hacker or a group of hackers compromised
more than MikroTik routers devices. MikroTik routers are targeted to spread
malware. In March this year, a sophisticated APT hacking group exploited
unknown vulnerabilities in MikroTik routers to covertly
plant spyware into victims' computers.
MikroTik
devices. However, the vulnerability which allowed the firm's routers to become crypto
currency mining slaves was no zero-day; instead, it is CVE-2018-14847, a known security bug impacting
Winbox for MikroTik RouterOS.
Through version 6.42 of the software, remote
attackers are able to bypass authentication and read arbitrary files by
modifying a request to change one byte related to a Session ID, according to
the vulnerability description.
Vulnerability MikroTik router exploiting PoC WinboxPoC.py
ip address target and MAC address they can access to the device. The office
github link WinboxPoC.py download python script pentesting os platform Linux os.
All versions from 6.29 (release date: 2015/28/05) to 6.42 (release date
2018/04/20) are vulnerable. "WARNING EDUCATIONAL PURPOSE ONLY"
How to use
Note that
this script will NOT run with Python2.x. Use only Python 3+
Winbox
(TCP/IP)
$ python3
WinboxExploit.py 172.17.17.17
User: admin
Pass:
Th3P4ssWord
MAC server
Winbox (Layer 2)
You can
extract files even if the device doesn't have an IP address :-)
$ python3
MACServerDiscover.py
Looking for
Mikrotik devices (MAC servers)
aa:bb:cc:dd:ee:ff
aa:bb:cc:dd:ee:aa
$ python3
MACServerExploit.py aa:bb:cc:dd:ee:ff
User: admin
Pass:
Th3P4ssWord
Mitigation Techniques
Update your
RouterOS to the last version or Bugfix version
Do not use
Winbox and disable it :| it's nothing just a GUI for NooBs ..
you may use
some Filter Rules (ACL) to deny anonymous accesses to the Router
ip firewall
filter add chain=input in-interface=wan protocol=tcp dst-port=8291 action=drop
Surces page GitHub