
A mysterious grey-hat is patching people's outdated MikroTik routers - wglb
https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/
======
AdmiralAsshat
>But despite adjusting firewall settings for over 100,000 users, Alexey says
that only 50 users reached out via Telegram. A few said "thanks," but most
were outraged.

Have to wonder if those "outraged" users are ones who would have proactively
fixed it themselves, or if they would've let their router happily continue to
chug away as part of a botnet.

~~~
Swizec
It’s an intrusion.

Would you be outraged if you came home one day and there was a plumber fixing
your sink? “Oh hi, don’t worry about me, just fixing your sink. Let myself in,
hope you don’t mind”

You didn’t even know your sink was leaky let alone called a plumber.

~~~
behringer
Actually I once heard a story of a neighbor who let themselves in when the
house was literally flooding and he saved the owner thousands of dollars worth
of damage. That's more like what's happening with these patched routers.

I also heard a story of a guy who's house burned down. The neighbor saw it
very early and did nothing about it cuz not her problem. The homeowner was
devastated.

So yes, if you see incredible destruction going on, it's ok to go fix it.

~~~
vbezhenar
I've heard that in US you could be shot for trespassing. It might be very
dangerous to try fixing it.

~~~
TeMPOraL
Similarly, unsolicited help with computer infrastructure can land you in jail
under CFAA. No good deed goes unpunished.

~~~
vbezhenar
That's why all good deeds must be done anonymous :)

------
writimov
This particular effort seems to be a mix of fun, braggadocio, and altruism.
Could this sort of thing be organized with a social network and a list of
tasks/problems using a tool like Trello or Jira but for solving any problem?
The result would be anyone in the world could help/volunteer to fix real
problems with free time. Use: 1) Problem is posted 2) Investigated and
confirmed to be real 3) Volunteers start to fix and swap solutions 4) Extra
people are recruited as necessary 5) Problem is solved and wrapped up. This
could be applied from everything from MongoDB security issues
([https://snyk.io/blog/mongodb-hack-and-secure-
defaults](https://snyk.io/blog/mongodb-hack-and-secure-defaults)) to cleaning
up neighborhood pollution
([http://www.chicagotribune.com/news/local/breaking/ct-
chicago...](http://www.chicagotribune.com/news/local/breaking/ct-chicago-air-
quality-testing-met-20171111-story.html)) Thoughts? Does this exist already?

~~~
jVinc
Yes... volunteer work already exists. Suggesting that it could be organized
through Trello or Jira doesn't really add any revolutionary element. And many
volunteer organisations already have planning solutions.

~~~
et2o
Why so negative?

~~~
zenojevski
This is not at all negative.

Imagine parent telling some underground rebel group that their revolution
would be more successful if they organized it with Jira.

Meanwhile, this concern is so far away from the rebels, who are doing just
fine with pen and paper, and are more concerned with basic needs like
surviving undetected.

People are of course excited by this initiative, and wish to contribute how
they know. Except what they have is hammers, and there are no nails to be
seen.

It looks like you are helping, but you are only diluting the focus from what's
important to what's easy to mindlessly talk about in a forum.

It looks like people are trying to organize how to organize, instead of
actually organizing anything. It's like the difference between being a writer
and a word processing expert.

~~~
jsight
I think you have a point, but unfortunately I didn't get it from your first
comment as well. It read as a pretty negative comment.

It sounds like the point that you are making is reasonable, though, and
unfortunately one that I see play out with a lot of FOSS projects as well. I
remember a talk one time where a project lead essentially made the point that
every new talk is met with a lot of "I'll setup CI for you" and "I'll setup
JIRA for you", but that none of the people who say those things end up
contributing code or issues.

For some reason there is a natural desire among some to organize the
organizing before the thing to be organized really exists.

~~~
zenojevski
Note: I was not the original poster: his comment simply rang very true to me;
"lean" is being a motif in my work, as the complexity of precious time and
resource management increases.

Contributions are all well-intentioned, but they cost resources, especially if
you're not great at ruthlessly filtering out, or don't want to, for any
reason; they generate a lot of heat where this energy can't be used.

Also well-intentioned contributors will set up grandiose structures, with no
intention other than "to help", but no actual will to carry the actual work
out. This usually turns out a wasteland after a while, which is not so much a
problem until you realize you have to support it; or worst, it over-shadows
the original, leaner-but-actually-productive intent.

> For some reason there is a natural desire among some to organize the
> organizing before the thing to be organized really exists.

I think this is why we have so many engines which have no games written for it
:D

~~~
jsight
It is amazing how closely this matches my experiences. I've been on projects
where we were forced to accept "gifted" code that was a tremendous difficulty
to actual maintain and fix to a maintainable state. Of course, the whole time
lots of people wondered why it couldn't just be merged without testing or
anything.

It is very easy for software contributions to create lots of friction and your
analogy to heat and energy loss is really great, IMO.

------
commandlinefan
I remember once, when I had an unpatched computer overrun by hostile viruses
that rendered it unusable, wondering if one of the botnet-type viruses that
want to take over your computer and use it without being undetected would
someday get smart enough to recognize other viruses and automatically remove
their competition so that they could continue to silently infect you. Like a
biological virus, one that kills the host is an ineffective one - they want to
use the hosts resources while not being noticed. I wonder if this is something
like that - virus writers starting to get smarter about cleaning up behind
them and keeping out competing malware.

~~~
iodiniemetra
This has been happening for years, especially in the "botnet community".
Either someone takes down someone else's botnet through the same bug and
patches it or figures out a bug in the botnet and caps it for themselves (for
example, getting ops in the CNC channel). I think Microsoft has even done in
cooperation this a few times; it's dubious legal territory.

You can see some historical examples, both recent (Mirai had some viruses that
went around closing the bug), as well as further in the past (there's one that
escapes me, it must have been around 2010?)

I wish I could cite more, I'm going to spend some time researching this and
make a list for myself, it's surprisingly interesting!

------
spappal
This reminded me of last years "BrickerBot" malware [0] by grey-hat The
Janit0r / The Doctor who bricked IoT devices with the stated purpose of
preventing the same devices from being hacked by botnet-malware, which
allegedly puts the whole internet at risk.

[0] [https://www.bleepingcomputer.com/news/security/brickerbot-
au...](https://www.bleepingcomputer.com/news/security/brickerbot-author-
retires-claiming-to-have-bricked-over-10-million-iot-devices/)

------
philamonster
Devices at vulnerable routerOS version and not already compromised would not
be vulnerable if the firewall was enabled. It's that simple. Not great that
these boxes used to ship in this default state and I can _understand_ a home
user unfamiliar with what they're dealing with but what reason is there for
deploying infrastructure this way at an ISP or hospital or whatever org?

~~~
r1ch
I think there's still a lot of blame on Mikrotik for having such bugs in their
management service and other daemons. I explicitly opened up the winbox port
to be able to remotely manage Mikrotik routers I deploy (I considered their
VPN implementations to be an even higher attack surface), as did many other
admins it seems.

The winbox protocol supposedly runs over TLS and requires a username/password
before anything is possible so I thought it should be safe enough, but through
this bug anyone can download any file with no authentication (and the user db
was storing passwords in plaintext which certainly didn't help)!

The web server vulnerability, sshd vulnerability, the smbd vulnerability - all
are their fault. Had they used standard, well-tested open source packages
there would be no problems, but they had to write their own custom
implementations of these protocols for "reasons". I hate to think how many
remotely exploitable bugs are lurking in their ipsec implementation.

~~~
sathackr
Vulnerabilities are almost unavoidable.

Leaving a management port on a router open to the entire internet is a very
bad practice. Would you leave an RDP port open to the world?

If you require remote access, at least restrict it to known management IP
addresses.

~~~
DATACOMMANDER
Why is it that vulnerabilities are almost unavoidable? I’m not trying to be a
smart-ass; I’m an analyst at an MSP and I’m doing my first pen-test soon. I’m
under no illusions that my job title or growing responsibilities make me a
security expert (or anywhere near it). Is it because the software stack is
just too complex for network programmers to handle? (Not that router OSes are
the only pieces of software that have vulnerabilities; and I imagine that
you’d say that vulnerabilities are almost unavoidable in general.)

~~~
toomanyrichies
I'm not an expert either, so take this with a grain of salt. At the risk of
sounding glib, I'd think the biggest cause of this unavoidability is that
security professionals have to be "right" (in the sense of plugging every
hole) every time, whereas black-hats need to be right (in the sense of finding
said vulnerabilities) only once (or a few times depending on the vector, but
you get the idea). Being on a Blue Team strikes me as a hard, thankless job,
and I'm grateful for the people who volunteer for it.

------
wjp3
Back in college (early 90's) I would run ToneLoc overnight, and wake up to
view the results. One time I had a hit, and I ftp'ed into some server on
Mindspring's customer IP range.

A quick look at the system told me the root account had no password set. So I
tried a telnet and wham - I was in.

A 'who' showed someone else was logged in. So I sent a broadcast message to
them saying they need to secure their system better, and logged out.

I had the habit of using an obscure hotmail email to log into FTP servers, and
had done that here. I was surprised to see an email from the owner - wanting
to know how I found his system, etc. He was nice, but I didn't reply.

~~~
iforgotpassword
> He was nice, but I didn't reply.

Noooooo. Story started off well and then you tree fiddied me!

------
tenpo
Not sure what they mean by "mysterious". He isn't hiding and never was. He
posted his photo, name and other personal details in articles about MikroTik
on Russian IT blogging platform[1]. His name is Alexey Sopov, 34, from
Novosibirsk. Quick search revealed his social network accounts:

[https://fb.com/100005153643926](https://fb.com/100005153643926)

[https://vk.com/lmonoceros](https://vk.com/lmonoceros)

[1] [https://habr.com/post/353530/](https://habr.com/post/353530/)

~~~
netsec_burn
Clickbait?

~~~
ccnafr
Probably the journalist didn't want to get this guy in trouble for doxxing
him.

I'm pretty sure the FBI would love to arrest him by now. Just like
MalwareTech.

------
ccnafr
The very last paragraph kinda makes me feel bad for MikroTik, but I'd like
them to add an auto-update feature to their routers. Probably fix all these
issues.

~~~
AdmiralAsshat
An "automatic" update that would potentially cause the router to reboot and
bring down the network would go over very poorly with customers, even if it
happens at 3 AM.

A better solution would be automatically _checking_ for updates, and then
sending an e-mail notification to the address associated with the router's
owner/sys admin.

I "registered" my router and email address with Netgear about a year ago and I
was shocked a few months ago when they actually sent me an e-mail to let me
know that a new firmware update was available for my router.

~~~
394549
> An "automatic" update that would potentially cause the router to reboot and
> bring down the network would go over very poorly with customers, even if it
> happens at 3 AM.

Maybe the the trigger for the automatic reboot could be more complicated than
just a time-based trigger. Something like

    
    
        Reboot when
            localtime > 2AM & 
            localtime < 5AM & 
            traffic averaged over the last 5 min < 5kbs
    

Basically reboot unless the router detects the network is being used actively.

~~~
macintux
Of course, if you're on vacation and relying on that router to be available
for security cameras, an automatic firmware update that results in a bricked
router can be more than a little disruptive.

~~~
394549
It's a tradeoff. You have to balance that negative against the negative of
having botnets of millions of never-patched routers.

Automatic updates should be the default, but you should be able to shut them
off if you want to make a different tradeoff.

~~~
TeMPOraL
Automatic security updates should be the default, all other updates should
absolutely _not_. In case of patching routers there isn't much crapware to be
upsold, but in general, if we're ever going to develop some code of ethics in
this industry, I wish a part of it would be a rule of hard separation between
security patches and feature updates, and another rule that the latter should
never be done automatically without explicit opt-in.

Yes, it's extra work for developers, but the result of not doing that is the
present situation - a lot of users, including a surprisingly large population
of non-tech-savvy people, will go out of their way to shut down automatic
updates, to avoid having to deal with broken workflows, upselling, ads
sneaking in, and forced reboots in the middle of a business presentation or a
game (or a surgery).

~~~
yuhong
Automatic updates has some of the same issues as telemetry. Windows Update for
example has to send information on things like drivers to scan for updates.

------
madrox
Reminds me of a black hat I knew in the 90s. He bragged that if he ever gained
access to a system, he'd start patching vulnerabilities so others wouldn't
gain access and make it obvious the machine had been compromised.

~~~
Ensorceled
I can attest that there was at least one such black hat in the 00's.

One of my IT guy's mom complained about her machine being slow and having "too
many pop ups", so he planned to go to her place on the weekend and fix it. She
called back a couple of days later and told him not to bother as it was "all
fixed now".

o.O

I lent him one of our loaner laptops and he brought in her computer back and
put it on our test DMZ to see what was up. Yep, somebody had scrubbed all the
malware and "search bars" off the machine and installed a free anti-virus
package. The exceptions on the anti-virus made it easy to track down what was
happening; it was set to send spam every night between 1am and 7am but
otherwise was pristine.

My colleague had to do some serious soul searching before he decided to wipe
it instead of just returning it ...

------
deckar01
> As for MikroTik, the Latvian company has been one of the most responsive
> vendors in terms of security flaws, fixing issues within hours or days,
> compared to the months that some other router vendors tend to take. It would
> be unfair to blame this situation on them. Patches have been available for
> months, but, yet again, it is ISPs and home users who are failing to take
> advantage of them.

A system that requires users to opt in to security is not a secure system.

~~~
NelsonMinar
OTOH people would scream bloody murder at a router that installed firmware
updates and rebooted itself without asking. Just look at the reaction to how
Windows 10 handles updates.

~~~
Avamander
It's time MT got something like unattended upgrades.

~~~
isostatic
It's trivial to script on a mikrotik. Arguably it should be in the default
config - most people who know what they're doing will start with a blank slate
anyway (system reset configuration nodefaults)

------
ryandrake
If only ISPs would start disconnecting negligent customers who continue to use
exploited or vulnerable equipment. The incentives are not right. If they did,
they’d risk losing a paying customer, if they don’t, nothing bad really
happens to them. I hate suggesting regulations and fines but it’s the only
thing end users and ISPs will respond to.

~~~
samat
Most of this devices are provided by ISPs so it's they who are negligent. :)

------
Snawoot
Original post from Alexey at habr.com (russian IT community):
[https://habr.com/post/424433/](https://habr.com/post/424433/)

------
ristic
Would have been nice if he got around to the router at our office, we got
cryptojacked: [https://imgur.com/a/Q7Pmxth](https://imgur.com/a/Q7Pmxth)

------
some1else
Some black hats also patch the systems they compromise. Depends on the
purpose.

------
anonnel
Normally HN is not a place for memes, but I feel this is appropriate

[https://m.imgur.com/JxH0lUT?r](https://m.imgur.com/JxH0lUT?r)

------
paulie_a
Just start bricking them. It's a public service to the internet as a whole.

------
mathieubordere
Hats off to this guy.

------
Krasnol
I had one once and I can recommend the "MikroTik Security Guide" by Tyler
Hart.

It's quite an easy step by step guide.

------
electricwater
This is hollywood material.

------
ratsimihah
Patch me daddy

