Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The powerful devices leveraged by the Meris botnet have weaknesses that make them easy to exploit, yet complex for organizations to track and secure, researchers said.
The routers leveraged by the Mēris botnet in a massive distributed denial-of-service (DDoS) attack against Russia’s internet giant Yandex have also been the unwitting platform for numerous cyberattacks, researchers have found. This is due to a persistent vulnerable state that’s difficult for organizations to wrangle, but easy for threat actors to exploit, they said.
Researchers from Eclypsium took a deep dive into the feature-rich small office/home office (SOHO) and internet-of-things (IoT) devices from Latvia-based company MikroTik, which number some 2 million in deployments.
Infosec Insiders Newsletter
Due to the sheer number of devices in use, their high power and numerous known vulnerabilities within them, threat actors have been using MikroTik devices for years as the command center from which to launch numerous attacks, researchers said.
Eclypsium researchers began exploring the how and why of the weaponization of MikroTik devices in September, based on previous research into how TrickBot threat actors used compromised routers as command-and-control (C2) infrastructure. Eclypsium analysts found that TrickBot also was able to fall back on MikroTik infrastructure after U.S. Cyber Command successfully disrupted its main infrastructure.
“This made us want to better understand the MikroTik attack surface and how attackers might use them once compromised,” they wrote.
In addition to their power, one of the chief reasons MikroTik devices are so popular with attackers is that they are, like many SOHO and IoT devices, vulnerable out of the box. They often come with default credentials of admin/empty password, and even devices that are intended for corporate environments come without default settings for the WAN port, researchers wrote.
Additionally, MikroTik devices often miss out on important firmware patches because their auto-upgrade feature is rarely turned on, “meaning that many devices are simply never updated,” according to Eclypsium.
This has allowed CVEs dating back to 2018 and 2019 — one of which was used by in the Yandex attack — to remain unpatched on many devices and ripe for exploitation, researchers said. The bugs tracked as CVE-2019-3977, CVE-2019-3978, CVE-2018-14847 and CVE-2018-7445 can all lead to pre-authenticated remote code execution (RCE) — and a complete takeover of a device.
MikroTik devices also have “an incredibly complex configuration interface” that invites easy mistakes from those setting them up, which allows attackers to easily discover and abuse them over the internet, researchers said.
“The capabilities demonstrated in these attacks should be a red flag for enterprise security teams,” researchers wrote in a report published Thursday. “The ability for compromised routers to inject malicious content, tunnel, copy or reroute traffic can be used in a variety of highly damaging ways.”
These include the use of DNS poisoning to redirect a remote worker’s connection to a malicious website or introduce a machine-in-the-middle attack; the use of well-known techniques and tools to
potentially capture sensitive information or steal two-factor authentication (2FA) credentials; the tunneling of enterprise traffic to another location; or the injection of malicious content into valid traffic, researchers said.
Then there was the Mēris botnet attack — which happened soon after Eclypsium began its research. Requests used in the DDoS HTTP-pipelining attack on Russia’s internet giant Yandex in September originated from MikroTik networking gear, with attackers exploiting a 2018 bug unpatched in the more than 56,000 MikroTik hosts involved in the incident.
And, Eclypsium also found approximately 20,000 devices with proxies open, which were injecting different crypto-mining scripts into web pages.
“These devices are both powerful, and as our research shows, often highly vulnerable,” they noted, adding that MikroTik devices, in addition to serving SOHO environments, are regularly used by local Wi-Fi networks, which also attracts attention from attackers, they wrote.
Threatpost has reached out to MikroTik for comment on the researchers’ findings and conclusions.
Researchers used Shodan queries to build a dataset of 300 000 IP addresses vulnerable to at least one of the aforementioned RCE exploits and also tracked geographically where the devices were located, finding that they are “particularly widespread,” they wrote. Researchers found that China, Brazil, Russia, Italy and Indonesia had the most total vulnerable devices, with the United States coming in at eight on the list.
Eclypsium has created a freely available tool that could allow network administrators to test their devices’ vulnerability, in three ways: Identify MikroTik devices with CVEs that would allow the device to be taken over; attempt to log in with a given list of default credentials; and check for indicators of compromise of the Mēris botnet.
The tool works across SSH, WinBox and HTTP API protocols, all of which the Mēris malware uses, researchers said. Eclypsium recommended that enterprises using the tool only attempt to log into the MikroTik devices that they own and to take liability for their actions.
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!
Share this article:
U.S. and Canada charge Ottawa man for ransomware attacks, signaling that North America is no cybercriminal haven.
E-commerce’s proverbial Who-ville is under siege, with a rise in bots bent on ruining gift cards and snapping up coveted gifts for outrageously priced resale.
The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
The flaws, discovered by @SentinelOne, could enable attackers to disable security and gain kernel-level privileges.…
24 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.