Threat actors are targeting a significant number of vulnerable MikroTik wireless and IoT devices, according to new research by Eclypsium.
In a blog post Thursday, the hardware security vendor cited several reasons behind MikroTik’s popularity with attackers, which researchers have been studying since September. Just after Eclypsium began its research, a record-setting DDoS attack powered by the Meris botnet was observed using vulnerable MikroTik devices.
The Latvia-based manufacturer of routers, IoT and wireless ISP devices has a track record of bugs that includes “three CVEs from the past three years that can lead to remote code execution and a complete takeover of a device.” Eclypsium researchers found that customers rarely updated those devices even when a patch was available, and more than 2 million such products are deployed globally.
Threat actors are taking advantage of the unpatched devices, according to Eclypsium, to generate powerful DDoS attacks, use as command-and-control infrastructure, tunnel malicious traffic and more.
“While threat actors have the tools to find vulnerable MikroTik devices, many enterprises do not,” the research blog said. “Given the challenges of updating MikroTik, there are large numbers of devices with these 2018 and 2019 vulnerabilities.”
Scott Scheferman, principal cyber strategist at Eclypsium, told SearchSecurity those challenges include both technical and awareness issues. On the technical front, Scheferman said MikroTik routers do have auto-update capabilities, but users must properly configure the devices and opt in to enable the feature — and users most apparently don’t.
The type of vulnerabilities, including remote code execution (RCE) flaws, contributes to the technical difficulties. “One of the vulnerabilities from 2019 would allow you to downgrade [the firmware] as an attacker,” Scheferman said.
From an awareness standpoint, the COVID-19 pandemic both improved security knowledge and created new concerns. While enterprises have an increased awareness of security risks to remote employees, Scheferman said home users, which rose significantly during the pandemic, have not reached that level and are still using vulnerable small office and home office (SOHO) equipment.
Vlad Babkin, a security researcher at Eclypsium, agreed that customer awareness is lacking. Babkin found that surprising for several reasons, one being users who choose MikroTik devices are likely opting for a more powerful networking device and would be expected to learn how to properly use it.
“They also have normal update buttons that the users can do manually, and that actually brings up the update pretty much automatically, so I don’t know why it is this way,” Babkin said.
Eclypsium noted that in addition to SOHO products, MikroTik wireless products are also used by ISPs. Luckily, patching rates appear to be higher with those enterprise customers; Babkin said the researchers found an ISP that was built on top of MikroTik.
Impact of Meris botnet
While the issue of having unpatched vulnerabilities despite available updates is not new, the research further highlighted associated risks for wireless and IoT devices. A known threat example was found in the Meris malware, a botnet that infected a “record-breaking” number of IoT devices, including MikroTik routers. Despite awareness and news reports, the attacks on MikroTik devices did not appear to slow down.
Scheferman noted several hypotheses, including an affiliate-as-a-service model where attribution becomes difficult. Threat actors switching tactics during COVID-19 is another, specifically the Clop ransomware gang, which realized EDR and XDR were improving, according to Scheferman.
“All these IoT devices inside enterprises and …….