Tag Archive for: MikroTik

Critical MikroTik RouterOS Vulnerability Exposes Over Half a Million Devices to Hacking

/in


Jul 26, 2023THNNetwork Security / Vulnerability

MikroTik RouterOS Vulnerability

A severe privilege escalation issue impacting MikroTik RouterOS could be weaponized by remote malicious actors to execute arbitrary code and seize full control of vulnerable devices.

Cataloged as CVE-2023-30799 (CVSS score: 9.1), the shortcoming is expected to put approximately 500,000 and 900,000 RouterOS systems at risk of exploitation via their web and/or Winbox interfaces, respectively, VulnCheck disclosed in a Tuesday report.

“CVE-2023-30799 does require authentication,” security researcher Jacob Baines said. “In fact, the vulnerability itself is a simple privilege escalation from admin to ‘super-admin’ which results in access to an arbitrary function. Acquiring credentials to RouterOS systems is easier than one might expect.”

This is because the Mikrotik RouterOS operating system does not offer any protection against password brute-force attacks and ships with a well-known default “admin” user, with its password being an empty string until October 2021, at which point administrators were prompted to update the blank passwords with the release of RouterOS 6.49.

CVE-2023-30799 is said to have been originally disclosed by Margin Research as an exploit dubbed FOISted without an accompanying CVE identifier in June 2022. The security hole, however, was not plugged until October 13, 2022, in the RouterOS stable version 6.49.7 and on July 19, 2023, for the RouterOS Long-term version 6.49.8.

Vulnerability

VulnCheck noted that a patch for the Long-term release tree was made available only after it directly contacted the vendor and “published new exploits that attacked a wider range of MikroTik hardware.”

A proof-of-concept (PoC) devised by the company shows that it’s possible to derive a new MIPS architecture-based exploit chain from FOISted and obtain a root shell on the router.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

“Given RouterOS’ long history of…

Source…

Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own

/in


Latvian network equipment manufacturer MikroTik has shipped a patch for a major security defect in its RouterOS product and confirmed the vulnerability was exploited five months ago at the Pwn2Own Toronto hacking contest.

In a barebones advisory documenting the CVE-2023-32154 flaw, Mikrotik confirmed the issue affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver functionality. 

According to ZDI, organizers of the Pwn2Own software exploitation event, the vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. 

“Authentication is not required to exploit this vulnerability,” ZDI warned in an advisory.

“The specific flaw exists within the Router Advertisement Daemon. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root,” the company said.

The Pwn2Own organizers decided to go public with an advisory prior to the availability of patches after waiting five months for MikroTik to acknowledge and fix the already-exploited security flaw.

ZDI said it reported the issue to MikroTik during the event last December and asked again for an update in May this year, five months later. On May 10, ZDI said it “re-disclosed the report at the vendor’s request” and gave the company an extra week to provide fixes.

Advertisement. Scroll to continue reading.

In its response, MikroTik said it cannot find a record of the December disclosure from ZDI and that it was not present at the Toronto event in December to discuss the exploit.

Security defects in MikroTik routers have featured in the CISA must-patch list and have been used in the past to build malicious botnets.

Related: Microsoft Releases Open Source Tool for Securing MikroTik Routers

Related: CISA Adds Exploited Mikrotik Flaws to ‘Must-Patch’ List

Related: MikroTik Confirms Mēris Botnet Targets Routers

Related: Tesla Hacked Twice at Pwn2Own Exploit Contest

Source…

TrickBot Malware Abusing MikroTik Routers as Proxies for Command-and-Control

/in


Microsoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things (IoT) devices as a go-between for establishing communications with the command-and-control (C2) servers.

“By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems,” Microsoft’s Defender for IoT Research Team and Threat Intelligence Center (MSTIC) said.

Automatic GitHub Backups

TrickBot, which emerged as a banking trojan in 2016, has evolved into a sophisticated and persistent threat, with its modular architecture enabling it to adapt its tactics to suit different networks, environments, and devices as well as offer access-as-a-service for next-stage payloads like Conti ransomware.

The expansion to TrickBot’s capabilities comes amid reports of its infrastructure going offline, even as the botnet has continually refined its features to make its attack framework durable, evade reverse engineering, and maintain the stability of its C2 servers.

Specifically, the new method identified by MSTIC involves leveraging hacked IoT devices such as routers from MikroTik to “create a line of communication between the TrickBot-affected device and the C2 server.”

Prevent Data Breaches

This also entails breaking into the routers by using a combination of methods, namely default passwords, brute-force attacks, or exploiting a now-patched flaw in MikroTik RouterOS (CVE-2018-14847), followed by changing the router’s password to maintain access.

In the next step, the attackers then issue a network address translation (NAT) command that’s designed to redirect traffic between ports 449 and 80 in the router, establishing a path for the TrickBot-infected hosts to communicate with the C2 server.

“As security solutions for conventional computing devices continue to evolve and improve, attackers will explore alternative ways to compromise target networks,” the researchers said. “Attack attempts against routers and other IoT devices are not new, and being unmanaged, they can easily be the weakest links in the network.”

Source...


[the_ad_group id="27628"]

The Mikrotik RouterOS-Based Botnet

/in

  1. The Mikrotik RouterOS-Based Botnet  Security Boulevard

    2. Full coverage

botnet – read more