A mysterious grey-hat is patching people's outdated MikroTik routers

A mysterious grey-hat is patching people's outdated MikroTik routers 1

A Russian-speaking grey-hat hacker is breaking into people’s MikroTik routers and patching devices so they can’t be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned.

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.

Alexey has not been trying to hide his actions and has boasted about his hobby on a Russian blogging platform. He says he accesses routers and makes changes to their settings to prevent further abuse.

“I added firewall rules that blocked access to the router from outside the local network,” Alexey said. “In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.”

But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said “thanks,” but most were outraged.

The vigilante server administrator says he’s been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April.

At the time, the vulnerability (known as CVE-2018-14847) was a zero-day, but MikroTik rolled out a fix in record time. Nonetheless, cyber-criminals quickly jumped on board to exploit the flaw.

CVE-2018-14847 is a very convenient vulnerability because it allows an attacker to bypass authentication and download the user database file. Attackers decrypt this file and then use one of the username & password combos to log into a remote device and make OS settings and run various scripts.

For the past five and a half months, the vulnerability has been mainly used to plant cryptojacking scripts on outdated MikroTik routers [1, 2] and to hijack DNS servers and later redirect user traffic towards malicious sites [1, 2].

This wouldn’t be an issue, but MikroTik is one of today’s most popular router brand. There are over two million MikroTik routers around the globe.

Security researcher Troy Mursch told ZDNet today that of the millions of MikroTik routers currently connected to the Internet, over 420,000 show signs they’ve been infected with cryptocurrency-mining scripts.

Speaking to ZDNet today, Ankit Anubhav, a security researcher for NewSky Security, has also indicated that DDoS botnet authors have also been trying to infect and corral these devices under their control, but failing.

“The usual IoT blackhat botnet factory is basically clueless about the exploit, and how it can be deployed for a proper functioning botnet,” Anubhav said.

Instead, he says the people placing cryptocurrency-mining scripts on the devices are far more adept at hijacking the vulnerable routers. Anubhav speculated that this looks to be the “work of a knowledgeable lone actor.”

Things became even worse for the MikroTik community this past week after Tenable researchers released a new exploit named “By The Way” for the original CVE-2018-14847 vulnerability. This spurred new interest from the botnet community.

But the reason why Alexey was able to “clean” over 100,000 routers is because none of the hacker groups currently abusing MikroTik routers appear to perform basic hygiene.

“The attackers are not closing [device ports] or patching the devices, so anyone who wants to further mess with these routers, can,” Anubhav told ZDNet.

Fortunately, Alexey has been doing this clean-up on some users’s behalf. But technically speaking, Alexey is on the wrong side of the law. Despite his good intentions, it is illegal to access another person or organization’s equipment without consent.

Alexey’s vigilante spree may be illegal, but he is definitely not the first.

In 2014, a hacker accessed thousands of ASUS routers and planted text warnings inside computers with shared folders and hard drives that were located behind those routers, warning users to patch their ASUS device.

In late 2015, a team of vigilante hackers going by the name of the White Team launched the Linux.Wifatch malware that closed security holes on a variety of Linux-based routers. At one point, the White Team’s botnet became so big it battled with the botnet of the infamous Lizard Squad team for the title of the Internet’s largest botnet.

In 2017, a more devious vigilante hacker named The Janit0r deployed the BrickerBot malware that erased firmware or bricked IoT devices that had not been updated.

Also in 2017, a hacker made over 150,000 printers spew out a message to their owners to raise everyone’s awareness about the danger of leaving printers exposed online.

In 2018, another vigilante renamed tens of thousands of MikroTik and Ubiquiti routers to “HACKED” and other messages to get owners’ attention to update their devices.

Mursch told ZDNet that he doesn’t believe the MikroTik situation will get better any time soon.

“Rebooting grandma’s router won’t fix this,” he said. “Remediation efforts must be done by the service providers.”

The reason is that many of these devices are not routers placed inside users’ homes, but are so-called “edge” devices, often part of an ISP’s internal infrastructure, such as routers placed in ISP boxes left inside apartment complexes or on street poles.

Another source in the infosec community who spoke to ZDNet but did not want his name shared for this story confirmed that Alexey’s vigilante efforts have also touched edge routers, not only those found in people’s homes.

“Ironically, by cleaning some ISP routers he might get the ISPs to act and fix everyone’s routers as well,” the unnamed researcher told us.

As for MikroTik, the Latvian company has been one of the most responsive vendors in terms of security flaws, fixing issues within hours or days, compared to the months that some other router vendors tend to take. It would be unfair to blame this situation on them. Patches have been available for months, but, yet again, it is ISPs and home users who are failing to take advantage of them.

RELATED COVERAGE:

A mysterious grey-hat is patching people's outdated MikroTik routers 2
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 43,375.00
ethereum
Ethereum (ETH) $ 3,048.30
cardano
Cardano (ADA) $ 2.20
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 345.53
xrp
XRP (XRP) $ 0.945891
solana
Solana (SOL) $ 144.24
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 28.48
dogecoin
Dogecoin (DOGE) $ 0.203739
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 43,375.00
ethereumEthereum (ETH)
$ 3,048.30
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 501.09
litecoinLitecoin (LTC)
$ 150.06
bitcoinBitcoin (BTC)
37.009,07
ethereumEthereum (ETH)
2.600,92
tetherTether (USDT)
0,853235
bitcoin-cashBitcoin Cash (BCH)
427,55
litecoinLitecoin (LTC)
128,04
bitcoinBitcoin (BTC)
31,695.28
ethereumEthereum (ETH)
2,227.48
tetherTether (USDT)
0.730727
bitcoin-cashBitcoin Cash (BCH)
366.16
litecoinLitecoin (LTC)
109.65

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021

Blockchain/Cryptocurrency Questions and Answers

Beginner’s Guide to Investing in Cryptocurrency
August 9, 2021
Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
Solana
What Is Solana (SOL) And How Does It Work?
June 26, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin43,198 0.72 % 0.44 % 8.81 %
Ethereum3,018.9 1.83 % 1.23 % 9.50 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Cardano2.180 1.05 % 4.15 % 4.82 %
Binance Coin342.35 1.38 % 1.95 % 16.47 %
XRP0.9419 0.77 % 0.13 % 10.21 %
Solana142.51 2.07 % 2.45 % 7.06 %
USD Coin1.000 0.31 % 0.03 % 0.23 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2031 1.08 % 2.00 % 13.38 %

bitcoin
Bitcoin (BTC) $ 43,375.00
ethereum
Ethereum (ETH) $ 3,048.30
cardano
Cardano (ADA) $ 2.20
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 345.53
xrp
XRP (XRP) $ 0.945891
solana
Solana (SOL) $ 144.24
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 28.48
dogecoin
Dogecoin (DOGE) $ 0.203739