
MikroTik routers are forwarding owners’ traffic to unknown attackers - DyslexicAtheist
https://blog.netlab.360.com/7500-mikrotik-routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-en/
======
r1ch
It's worth pointing out that the default configuration of almost every
Mikrotik router these days comes with a firewall that blocks inbound access to
all ports. Admins have to go out of their way to expose winbox to the internet
(as many did - including myself - under the belief the protocol was somewhat
secure running over TLS).

Unfortunately NIH syndrome runs at an all time high at Mikrotik. Even the
RouterOS webserver and SMB implementations were custom written, and both were
later found to contain remotely exploitable bugs. I'm sure there are other
holes lurking in their implementations of ipsec, openvpn, etc, so I no longer
open up anything and rely on port forwarding to more secure and battle-tested
services like OpenSSH / Wireguard for remote management.

~~~
eps
This explains a lot.

Mikrotik boxes are really quirky. They basically have user-facing bugs,
symptoms of which can have no explanation except for them fronting some
massive clusterfuck on the inside. They used to do bizarre things with
timestamps of freshly copied files, when the modified time would _oscillate_
around some convergence point. Some wierd directory names (like .popup ?) were
reserved for no apparent reason and an attempt to create them failed with
"file not found". That sort of thing. And we even didn't own any of their
devices, we were just in a splatter zone from our clients constantly walking
into Mikrotik issues. It was few years ago though, so perhaps things have
improved since then.

~~~
r1ch
I've been using MT gear for about 10 years now. I actually think the devices
themselves are very solid once they're up and running. I've had some running
for years without any issues (try that with most other SOHO router brands!),
though reboots are much more frequent these days due to security updates. I do
agree though that the software side of things can be a bit quirky and the
recent security issues are a worrying glimpse into the quality of their code.
In general I wish the platform was more open (you can't even get a shell
without rooting the device), but it's something I can live with at this price
point.

Unfortunately given their affordability and feature set, Mikrotik routers are
often times administered by people who don't really have a solid grasp of
networking. I've seen some downright awful advice posted on their user forums
over the years, stuff that could easily cause connectivity issues under the
right circumstances. Who knows how much of that gets copy/pasted into configs
after a quick Google search.

------
kibwen
Can anyone suggest a wireless router that someone can buy today that either
ships with or can be flashed with OSS firmware? I've been trying to shop
around for one compatible with DD-WRT or OpenWRT and been rather disheartened
so far; every promising model I've found either requires you to play roulette
with the specific hardware version of the router that you receive (which is
never advertised on product pages), or is out of stock entirely, or costs
upwards of $250 (which is tough to sell to my friends, when their ISP charges
$10/mo to rent a router with much less hassle).

~~~
arminiusreturns
Ubiquiti EdgeOS based edgerouters are what I prefer as a greybeard sysadmin
type who has dealt with everything under the sun. It's VyOS (Vyatta) based,
they are now complying with gpl afaik, and their hardware is really good for
the price/performance ratio. The edgerouter-x or lite can be found for ~$99
and is a great piece of gear.

Another option would be your own hardware with pfsense (bsd) or ipfire(linux).

Even further would be your own hardware with linux and write your own nftables
or bpf.

~~~
nvarsj
The ERL family is pretty bad as a router, in my experience. There is a
longstanding firmware issue that introduces packet loss for routed packets (it
doesn't multiplex across the dual cores correctly, which leads to out of order
packets). If you really want to use Ubiquiti, I would suggest using an ER-X
which is cheaper, doesn't have this problem, and is quadcore.

The best option in my opinion is something Intel based running a well known
Linux distro with automated security updates that is fully in your control.
Shorewall can do everything needed for a home router. This option is a lot
more expensive though.

~~~
Bluecobra
Interesting that the more expensive router has this problem. I've been really
happy with my ER-X, it works great with my internet service (500Mbs up/500Mbs
down). I had some speed issues at first but this was solved by upgrading to
the latest firmware and making sure hardware offloading was enabled.

~~~
larkost
I was a bit annoyed that hardware routing is not automatically enabled for
setups that can use it. It is not hard, but you have to stumble upon the fact
that that setting exists (only on the command line).

~~~
Kadin
My recollection is that it's not enabled by default because there were (are?)
some features that don't work once you enable it. I assume it's the Deep
Packet Inspection and advanced routing type stuff.

(Sadly my home internet connection is too slow to make hardware offloading on
the edge router matter...)

------
hrudham
My MikroTik started going nuts late last week; it managed to upload ~90Gb
worth of data in 3 days (downloads weren't nearly as bad). Considering I only
have a 300Gb cap, that hurt. I subsequently re-flashed it, and secured it
properly this time, which solved the issue.

Using the hardware reset button doesn't fix things, so heads up for others in
that situation. Use MikroTik's NetInstall to re-install RouterOS instead.

------
paul7986
Curious is this the VPNFilter malware or some new router virus?

Lately I’ve been having IP & Internet issues like....

\- match suddenly banned me as a subscriber to okcupid and match. They won’t
tell me why either & ive been a subscriber on/off for years. Never or ever
would I do anything inappropriate though my match.com account I feel was
hacked. Yet they don’t want to listen :-(

\- my 6 month old roku device suddenly would no longer find my router.

\- yesterday just bought a new Roku & was unable to activate it after many
attempts.

Anyone else having weird Internet/IP device issues too?

------
baybal2
>MikroTik is a Lithuanian company founded in 1996 to develop routers and
wireless ISP systems.

Mikrotik is Latvian, not Lithuanian.

------
isostatic
My home router has the following

    
    
      /ip firewall filter
      add action=accept chain=input connection-state=established
      add action=accept chain=input connection-state=related
      add action=accept chain=input dst-port=5000 protocol=udp
      add action=accept chain=input dst-port=6000 protocol=udp
      add action=accept chain=input dst-port=6001 protocol=udp
      add action=accept chain=input protocol=icmp
      add action=accept chain=input dst-port=22 protocol=tcp src-address-list=Mgmt
      add action=accept chain=input dst-port=179 in-interface-list=LAN protocol=tcp
      add action=drop chain=input in-interface=btopenreach
      add action=drop chain=input
    

Clearly it's possible that an attacker could come in from the back door
(desktop, XSS etc), I could lock down the BGP more, and tighen up Mgmt beyond
it's current fairly wide subnets (a /16 owned by work and my wired range), but
it becomes a hassle, which leads to more disabling of the "action=drop" while
debugging. My backup script emails me when the configuration changes

To check if your proxy is enabled (probably shouldn't be)

    
    
      /ip proxy print 
      enabled: no

~~~
24gttghh
You could limit only certain ICMP types as well, and change your SSH port. And
you can ask yourself: Do I really need access to my firewall from work?

------
TeMPOraL
> _After enabling the Mikrotik RouterOS HTTP proxy, the attacker uses a trick
> in the configuration by redirecting all the HTTP proxy requests to a local
> HTTP 403 error page, and in this error page a link for web mining code from
> coinhive.com is inserted. By doing this, the attacker hopes to perform web
> mining for all the proxy traffic on the users’ devices_

> _What is disappointing for the attacker though, the mining code does not
> work in this way, because all the external web resources, including those
> from coinhive.com necessary for web mining, are blocked by the proxy ACLs
> set by attackers themselves._

Smart enough to breach Mikrotik routers. Dumb enough to fuck up linking in
coinhive JS. That screams "script kiddie buying delivery method on an open
market".

Also, how is coinhive still a thing?

~~~
ballenf
> Also, how is coinhive still a thing?

It's too bad coinhive is so easy to abuse. I'd much rather live in a world
where websites are financed with my electric bill rather than my data.

~~~
titzer
I dunno about you, but wasting vast amounts of energy in some incredibly
inefficient* techno-currency Ponzi scheme is just stupid and I'd rather we
figure out something better than these two alternatives.

* ASICs are roughly 100x more power-efficient at essentially any crypto mining algorithm

~~~
TeMPOraL
> _ASICs are roughly 100x more power-efficient at essentially any crypto
> mining algorithm_

That's half of the problem.

The other half is that cryptocurrencies rely, in a structural way, on their
generation to be difficult, so when enough ASICs get deployed, the currency
ups its "difficulty factor", multiplying the amount of power you have to burn
for the same reward.

Really, if I were a supervillain who wanted to accelerate energy crisis and
climate change by exploiting human greed, cryptocurrencies is the scheme I
would come up with.

~~~
ruskerdax
If I were a socialist who was politically opposed to the huge benefits of
cryptocurrency gaining major adoption I would boil it down to "exploiting
human greed" and pretend it's operating under the assumption that the energy
expenditures are a "waste" and therefor detrimental to climate change.

If you can't understand the compound harm to the environment (for starters) of
nations states existing and controlling currency, I feel bad for you. If you
do understand it, you should know you're rightly fearful of this technology,
because it's going to play a major factor in your future demise.

~~~
TeMPOraL
We seem to have a difference in base assumptions. I'd like to preserve and
further the technological civilization. You seem to want to shut it down.

> _the compound harm to the environment (for starters) of nations states
> existing and controlling currency_

Do you believe that nation states exist solely, or primarily, to control
currency? Currency is the blood of the nation, yes, but nation states form
organically, to further interests of groups of people. Whenever you have more
than a dozen people in one place, you get hierarchical governance, and the
more people you add, the more that hierarchy grows vertically to cope with the
load. With millions of people, you arrive at some form of states; add couple
wars into the mix, and you arrive at modern sovereign nation states.

Point being, if cryptocurrencies were to break states' control over money -
and what I guess you hope for - destroy states entirely, after lots of blood
unnecessarily shed, the states would be back in some form. It's doubtful
though, that cryptocurrencies would survive the process. They need computing
and Internet to work, and computers&Internet need _stable global economy_ to
exist. Break the economy, break the supply chains, and modern technology
evaporates.

Along with 90% of urban population starving to death.

> _you should know you 're rightly fearful of this technology, because it's
> going to play a major factor in your future demise_

Yes, I'm fearful, because this technology is tuned in with the markets just
well enough that it may propagate, whether governments want it or not, and
grow to the point of burning out most of our non-renewable energy sources,
with little to show for it, before someone finally puts a stop to it.

\--

I've painted a bleak worst-case scenario above, but I sincerely hope
cryptocurrenicies as we know today will fizzle out and be remembered just as
another scam, one with absurdly large ecological footprint. I'm not against
distributed ledgers, distributed consensus, or even new designs for money. I'm
just against stupidly inefficient solutions exacerbating the biggest problems
humanity faces.

~~~
darawk
I agree with your assessments of governments, but your assessments of power
issues are pretty misguided.

You seem to be arguing that demand for renewable power will...make there be
less renewable power available? Which is not really how economics works.
Creating lots of power demand isn't going to make us like, run out of
sunlight. It's going to raise the price of power. It's going to compensate
people for building more capacity. It's going to do all the things that we
want.

In fact, by providing a constant demand for excess power generation which is
currently hard to store, crypto-currencies can substantially improve the
economic profile of building out lots of capacity that otherwise wouldn't make
economic sense.

------
dboreham
btw this is the actual vulnerability (since MT release logs do not mention the
CVE cited in the article):

[https://blog.mikrotik.com/security/winbox-
vulnerability.html](https://blog.mikrotik.com/security/winbox-
vulnerability.html)

(referenced here :
[https://forum.mikrotik.com/viewtopic.php?f=21&t=137284&start...](https://forum.mikrotik.com/viewtopic.php?f=21&t=137284&start=50#p683938))

------
justinclift
> Attackers mainly interested in port 20, 21, 25, 110, and 143, corresponding
> to FTP-data, FTP, SMTP, POP3, and IMAP traffic.

That strongly suggests password harvesting. Those ports/protocols often (not
always) are used for unencrypted user/pass combinations. :(

------
jessaustin
I always disable winbox on installation.

    
    
      /ip service disable winbox
    

Why would anyone want to use that? My theory is that it has something to do
with how in many cases the MT sshd has to be told to figure out the terminal:

    
    
      $ ssh user+t@192.168.88.1
    

...and this information is really hard to find. If the terminal settings
aren't right and you can't fix them, ssh is unusable and you're stuck with
either winbox or webfig. Fortunately, if the ssh session is wrapped in a mosh
session then mosh will handle MT's terminal settings.

~~~
4ad
Afaik winbox is the only way to reconfigure the device in case of serious IP
misconfiguration, or if layer 3 networking does not work for some reason (I
just had to debug a switching loop...), as winbox can connect by MAC, rather
than IP.

~~~
jessaustin
In such a situation I would probably hard reset and upload a saved
configuration... certainly not ideal.

~~~
4ad
My equipment is hidden in walls and hard to reset. However, in this case, the
problem was at the physical layer, not software configuration, so a reset
would not have accomplished anything.

Since I do not use Windows, I had to emulate Winbox in Wine... pretty awful
experience, but in the end it worked while everything else failed.

I would just prefer some sort of unix tool that ssh can use to connect to the
equipment through layer 2.

------
orf
Cached:
[https://webcache.googleusercontent.com/search?q=cache:sYLtFj...](https://webcache.googleusercontent.com/search?q=cache:sYLtFjkodtgJ:blog.netlab.360.com/7500-mikrotik-
routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-
en/+&cd=1&hl=en&ct=clnk&gl=pt)

------
JohnnyWesh
Just yesterday updated my Mikrotik to latest current. And now read that news.
Great!

~~~
teilo
Then you're just fine. The vulnerabilities were patched months ago.

------
a012
Article link is down on my end.

~~~
ccnafr
It's basically another take on this older report:
[https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-
Mik...](https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-
Router-Infection-%E2%80%93-First-we-cryptojack-Brazil,-then-we-take-the-
World-/)

~~~
appleflaxen
that's a month old; has the compromise been going on that long?

i guess so...

~~~
24gttghh
It's been occurring since at least March I think?

[https://blog.mikrotik.com/security/winbox-
vulnerability.html](https://blog.mikrotik.com/security/winbox-
vulnerability.html)

[https://forum.mikrotik.com/viewtopic.php?f=21&t=137572](https://forum.mikrotik.com/viewtopic.php?f=21&t=137572)

~~~
ccnafr
No. That's when the vulnerability was discovered. The cryptojacking attacks on
routers began a month ago. Qihoo is just reporting on an ongoing campaign. But
I didn't see anything different from the Trustwave report, except that
attackers misconfigured some routers to send traffic into a blackhole for some
reason.

------
burkesquires
Do NOT visit...trojan at URL!

~~~
isostatic
Really? In what way?

~~~
breakingcups
I (ironically) got a CoinHive warning from TrendMicro.

~~~
fasafsafsf
Get a better antivirus then, because it's picking the URL that appears in the
post.

