
200,000+ MikroTik routers worldwide compromised to inject cryptojacking malware - pjf
https://badpackets.net/200000-mikrotik-routers-worldwide-have-been-compromised-to-inject-cryptojacking-malware/
======
hendry
IMHO Mikrotik are being sloppy by introducing breaking changes to their stable
channel. Hence ISPs are reluctant to update automatically, fearing some subtle
bridge/VLAN change which is sadly set to happen again (6.43 -> 6.44!). Also
doesn't help that the underlying Linux stable kernel updates more than once a
week.

Every Internet connected device needs some automatic update functionality by
default. It's tricky for routers since you typically do not want _any_
downtime and it's __really difficult /expensive __(well at least 2x the cost
for hardware alone) to do a blue /green (or is it red/black?) deployment. Not
to mention since Mikrotik is low end, there is _no state replication
functionality between routers_.

Here is a config for Mikrotik that updates my non-ISP hardware once a week at
3AM:
[https://gist.github.com/kaihendry/59a656c3883450d2df2fd52574...](https://gist.github.com/kaihendry/59a656c3883450d2df2fd52574f43b4c)

And when the ISP opts out of the suggested automatic update default, they need
to make the commitment to test and roll up updates in a timely fashion. As we
all know this is hugely expensive, and I strongly believe a vendor/"computer
program" should be able to provide this service. Customers with these ISPs who
didn't update are probably seeing some crazy packetloss.

So the future I'd like to see is Mikrotik updates being automatic, staged to
some degree & ultimately non-breaking. Cons are downtime for some & I guess
allowing your device to be remotely controlled by Latvians. ;)

~~~
philamonster
Are these changes coming in bugfix channel as well? I'm currently in holding
pattern going from 6.40.9 to 6.42.9 due to master > slave to bridge change
which occurred in March I believe. Point is bugfix seems to be less affected
by major changes like this (first I have experienced in 3 years).

~~~
hendry
tbh I think you should be good with bugfix. I've not tried, just going on what
others have said to me.

I'm a stable updating kindof guy.

------
Tharkun
So ... which SoHo router manufacturer can we actually trust? It seems pretty
common in this industry to either not supply security updates, or to only
supply them for a very short amount of time.

~~~
pilsetnieks
Mikrotik is trustworthy enough. The update that fixed this was released in
April, the first exploit appeared a few months later but this story gets
regurgitated every couple of weeks because so many people use insecure
configurations and don't bother upgrading their routers.

As to their update availability - I'm fairly certain I could take something
they manufactured 15 years ago and update it to the current version, as it all
uses the same OS, and they still support every architecture they've used.

~~~
sbradford26
I wonder how networking equipment manufacturers can motivate regular users to
update their equipment more regularly? Auto update would seems like a logical
one but plenty of people have reasons to not update and don't want there
router going down at times they cannot control.

~~~
lousken
For most people router is something they don't want to touch and sometimes
they don't even have access to it because it's managed by somebody else.

But as the first comment says - introducing breaking changes is not acceptable
and they should appear only in major releases. And then those security
bugfixes should be backported on all major versions which were released at
least 5 years back. Yesterday I upgraded mikrotik from 6.14 to 6.42 and it
took me 30minutes of additional configuration to make everything working
again.

Also mikrotik collets a lot of network stats so implementing an algorithm
which would restart the router when there's usually the least amount of
traffic should be feasible - those updates take less than a minute so it's not
like windows 10.

------
hkt
[http://pcengines.ch/](http://pcengines.ch/) APU2 plus debian. Be secure.
Maybe I'll tidy up the ansible I use for this and publish it.

~~~
MikusR
So those don't need updates?

------
have_faith
If you have a currency that can be generated via compute power the incentive
structure it creates is to take over as much compute power as you can. Does
the incentive structure represent a serious design flaw in the system for
widespread adoption?

~~~
SuoDuanDao
I would say it's a consequence of computer power becoming commoditized - the
flaw might be that using computer power in the past can be 'stored', unlike
hijacking someone else's computer and renting it out as server space, there's
a point in this kind of crime where one has the profits and got away with it.

I just had this thought and want to get it down, apologies for the rant: I
suspect that philosophically, the basic measure of our economy has been units
of energy, but it's transitioning to units of power. The 'subscription model'
most businesses are transitioning to seems to be an early recognition of that
fact. Server space, similarly, isn't really something one can store as easily
as gold or gasoline - it's only valuable while in use and degrading whether
it's in use or not. Our whole concept of currency may be based on an idea of
'stored' value, analogous to swapping joules, while we should be thinking
about 'sources' of value - swapping watts. I think the trouble is that renting
(or hijacking) servers is accounting in terms of watts, while currency is
accounting in terms of joules. The accounting of the two types of approaches
may not be as easily reconcilable as it seems at firs.

~~~
Tae3cahN
I think both types of currency are important. Humans have basic needs which
need to be met in the shape of atoms and joules which are quite storable. We
also have luxury wants which translate better to watts. This separation might
also be useful in the context of UBI schemes. And more generally I have a gut
feeling, but can't quite substantiate, that many fairness problems stem from
using the same currency for both, forcing the lower classes to work multiple
jobs just to make basic needs while the haves compete with them just to
improve their lifestyle and status.

~~~
SuoDuanDao
Fascinating! That makes excellent sense.

------
pjf
this is getting even bigger: 421K+ routers compromised -
[https://twitter.com/bad_packets/status/1050533001824595968](https://twitter.com/bad_packets/status/1050533001824595968)

------
philamonster
Ha!

[https://www.zdnet.com/article/a-mysterious-grey-hat-is-
patch...](https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-
peoples-outdated-mikrotik-routers/)

------
hkt
Does anyone know if Ubiquiti's edgerouters are any good?

~~~
NoErx
I have an EdgeRouter X and I'm searching for a replacement.

EdgeRouter X issues:

* 3.10 kernel. This is out of LTS support.

* Poor IPv6 support. The GUI has practically 0 support and you instead have to learn EdgeOS config, and it's awkward.

I'm happy to use EdgeRouter X as a switch, so I'm looking for a SBC that can
act as router/firewall and run vanilla Debian.

~~~
NoErx
Scratch that. Upon reading VyOS's docs for the EdgeOS config (which has
relatively poorer docs), it has strong advantages: commit/rollback, single
config file, and Ansible has an EdgeOS module included by default to
coordinate that.

------
shakna
I guess nobody listened [0].

But considering some of the comments on that thread, I'm not entirely shocked.

> Attackers will not be able to use that, nor will they care.

> If you're exposing that unfettered to the web at large, imo you deserve what
> you get.

Did no one really think 200,000 devices was a worthwhile target?

[0]
[https://news.ycombinator.com/item?id=18166003](https://news.ycombinator.com/item?id=18166003)

------
lowry
I have several hAP ac Mikrotik routers and upgrading them is a pain. You can
not just download an image from their website, flash and reboot. If you do so,
your router will likely be locked in a bootloop.

I managed to have consistent upgrades by using only the main package and
Netinstall, but it is still a huge pain in the ass.

Mikrotik makes stable routers, but they messed up the upgrade process
completely.

~~~
philamonster
Huh? With the exception of them converting all master > slave port configs to
bridges in 6.41 I believe, I have never had any issues using System > Packages
> Check for updates, selecting bugfix as opposed to current branch and
downloading and installing in Winbox. SwOS devices I need to download a binary
and upgrade through web (no Winbox) but still have never had any issues.

~~~
lowry
Try doing it through the web interface, you'll be unpleasantly surprised.

I just upgraded my last hAP ac from 6.39.2 to 6.42.9 through the web
interface, entered the bootloop, then did the Netinstall of the system package
only, then _manually_ restored the configuration.

~~~
24gttghh
This is why we do backups :) I always assume something will go wrong, but make
sure to have a backup of any critical device that is being updated (mikrotik
or not).

Did your hAP run out of flash disk space? I notice that it only has 16MB.

~~~
philamonster
I recently purchased their outdoor wAP ac (same amount of flash) that deletes
any "backups/exports" on disk after reboot. I'm not familiar with CAPsMAN but
I wonder if there's a mechanism to backup to either the controller or external
repo. There's always the scripting route to ship configs elsewhere etc.

~~~
24gttghh
I email the backups to myself (routerOS scripting) using a dedicated gmail
account, but the backup is also written to an external USB stick on my device.

------
throwaway9d0291
I'm really curious, where are these routers? The problem is that the admin
interface port is exposed to the internet, which is something any competent
administrator would ensure isn't accessible. So are there incompetent admins
managing 200k devices or is someone distributing these to residential users?

~~~
philamonster
When I first started reading about these reports over the past week I believe
around 90%+ were in Brazil. If you peruse BPR timeline on Twitter they mention
type of orgs using them. One of hardest hit I believe was ISP in Arizona or
New Mexico, US.

------
megous
It's good to regularly update your router.

