Hundreds of thousands of routers produced by Latvian network hardware firm MikroTik remain vulnerable to at least one of four exploitable vulnerabilities that are at least a year old and are likely being used by attackers as part of their operational infrastructure, researchers say.

A new report from security firm Eclypsium says that of the approximately 2 million MikroTik routers deployed in small-office and home-office (SOHO) settings, 1.88 million — or 94% — have the router's management interface, Winbox, exposed to the Internet. The open ports are not the default setting, suggesting that either users are willfully undermining their security or the configuration is a sign that the devices have been compromised, says Scott Scheferman, principal cyber strategist at Eclypsium.

These devices are so complex that most home users would not know how to configure those settings and likely would have no reason to do that, he says, adding that as compromised devices, the routers give attackers significant advantages.

"They are powerful from just about every perspective, from a raw capability perspective and a diversity of things you can do from a functionality standpoint — they are massively useful," Scheferman says. "You can run a ping flood from the device. You can tunnel and proxy. You can configure your DNS maliciously, so the user is redirected to an attacker's site. The harder question to answer is what can't you do when you are on these devices."

The focus on vulnerable MikroTik routers comes after several takedowns have pinpointed attackers' strategy of using SOHO routers as a way to recover from the disruption of a takedown, according to Eclypsium's advisory. A year ago, the US Cyber Command disrupted the infrastructure of Trickbot, but the group reconstituted the network using routers that had been compromised using the Trickboot firmware-targeting module, according to Eclypsium.

In September, the Meris botnet — made of up MikroTik routers — leveled large distributed denial-of-service attacks against targets, including Russian search engine Yandex. Researchers from Cloudflare and other companies estimated that Meris — "plague" in Latvian — consisted of around 250,000 compromised MikroTik routers.

Meris has more power than the better-known Mirai botnet, Cloudflare researchers stated in an analysis.

"While Mirai infected IoT devices with low computational power, Meris is a swarm of routers that have significantly higher processing power and data transfer capabilities than IoT devices, making them much more potent in causing harm at a larger scale to web properties that are not protected by sophisticated cloud-based DDoS mitigation," the company stated.

While the extent of the vulnerability of currently deployed MikroTik routers is not clear,  Eclypsium looked for signs that four known vulnerabilities — two disclosed in 2018 and two in 2019 — could be used to exploit existing routers. The two vulnerabilities reported in 2019, for example, could be used to compromised unpatched routers, including those running a fairly recent version of the MikroTik's OS, while the two others affected much older ones.

"Unfortunately, closing the old vulnerability does not immediately protect these routers," MikroTik said in a statement in September following the Meris botnet discovery. "If somebody got your password in 2018, just an upgrade will not help. You must also change the password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create."

SSH Exposed
In a scan of the Internet, Eclypsium researchers did find 225,000 routers that had a common remote access port — Secure Shell, or SSH — exposed to the Internet, while 287,000 routers appear to be running older, detectable versions of the operating system and, thus, are vulnerable to exploitation. The two factors suggest that at least 300,000 MikroTik routers either have been exploited or could easily be exploited, says Scheferman.

"Attackers can use those 2019 vulnerabilities to downgrade the OS and force the configuration of the process to enable these services to be facing the internet," Scheferman says. "That can be done en masse or via scripting."

Eclypsium has created a tool to help users detect whether they are vulnerable and whether they might be infected. The tool, Meris RouterOS Checker, allows administrators to take the role of an attacker to check whether the router is vulnerable to the four vulnerabilities, to attempt logging in with compromised credentials, and to check the device for known indicators of compromise.

"Given such a vast percentage of these devices have been in a vulnerable state for many years on end, it is simply not enough to find 'old' — vulnerable — devices," Eclypsium researchers stated in the advisory. "Instead, we need to leverage the very same tactics, techniques, and procedures (TTPs) the attackers use. We need to discover whether a given device might already be compromised and determine whether it is patched or not."