MikroTik Router's 200, 00 vulnerability hacker inject Crypto mining Malware

MikroTik Router's 200, 00 vulnerability hacker inject Crypto mining Malware
Security research proof of Concept of Winbox Critical Vulnerability (CVE-2018-14847) found MikroTik routers more than 200,000 backdoor access to the device version. Malware campaigns have compromised more than 210,000 routers from Latvian network hardware provider MikroTik across the world

What is MikroTik?
According to the official website, MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world. RouterOS is the operating system of most MikroTik devices. The vulnerability affects all versions of RouterOS from 6.29 (release date: 2015/28/05) to 6.42 (release date 2018/04/20)

The hacker easy exploiting a vulnerability in the Winbox application of MikroTik router that was discovered in April this year and patched within a day of its discoverySecurity flaw can potentially allow an attacker to gain unauthenticated, remote attacker administrative access to any vulnerable MikroTik router.

Malware campaigns that infected 25,500 and 16,000 MikroTik routers, mainly in Moldova, with malicious crypto currency mining code from infamous CoinHive service. 

Targeting networking devices in Brazil, where a hacker or a group of hackers compromised more than MikroTik routers devices. MikroTik routers are targeted to spread malware. In March this year, a sophisticated APT hacking group exploited unknown vulnerabilities in MikroTik routers to covertly plant spyware into victims' computers.

MikroTik devices. However, the vulnerability which allowed the firm's routers to become crypto currency mining slaves was no zero-day; instead, it is CVE-2018-14847, a known security bug impacting Winbox for MikroTik RouterOS.
Through version 6.42 of the software, remote attackers are able to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID, according to the vulnerability description. 

Vulnerability MikroTik router exploiting PoC WinboxPoC.py ip address target and MAC address they can access to the device. The office github link WinboxPoC.py download python script pentesting os platform Linux os. All versions from 6.29 (release date: 2015/28/05) to 6.42 (release date 2018/04/20) are vulnerable. "WARNING EDUCATIONAL PURPOSE ONLY"

How to use
Note that this script will NOT run with Python2.x. Use only Python 3+
Winbox (TCP/IP)
$ python3 WinboxExploit.py
User: admin
Pass: Th3P4ssWord

MAC server Winbox (Layer 2)
You can extract files even if the device doesn't have an IP address :-)
$ python3 MACServerDiscover.py

Looking for Mikrotik devices (MAC servers)
$ python3 MACServerExploit.py aa:bb:cc:dd:ee:ff
User: admin
Pass: Th3P4ssWord

Mitigation Techniques
Update your RouterOS to the last version or Bugfix version
Do not use Winbox and disable it :| it's nothing just a GUI for NooBs ..
you may use some Filter Rules (ACL) to deny anonymous accesses to the Router
ip firewall filter add chain=input in-interface=wan protocol=tcp dst-port=8291 action=drop
Surces page GitHub

Share this

Related Posts

Next Post »