[German]Router manufacturer MikroTik has published a security advisory on how to protect its devices against a takeover by the Meris botnet. The Meris gang exploits the CVE-2018-14847 vulnerability, discovered in 2018 and patched long ago, to take over devices and then abuse them for DDoS attacks. Here is some information about it.
Advertising
The Meris botnet
The Meris botnet is still fairly new and appears to feed through hijacked routers. Meanwhile, powerful DDoS attacks are emanating from this botnet. QRATOR Labs first reported on this botnet as recently as September 9, 2021, in the post Mēris botnet, climbing to the record. In late June 2021, Qrator Labs found the first signs of a new botnet of a new kind. The botnet has considerable attack power for DDoS attacks, they have already observed attack waves with 30,000 devices. Yandex was able to collect the data about 56,000 attacking hosts.
However, security researchers believe that the number is higher – probably more than 200,000 devices that the attackers have not used yet. The botnet is composed of high-powered devices (routers) connected to the Internet via an Ethernet connection. MikroTik posted this article about the botnet. Krebs on Security was recently attacked via this botnet.
The MikroTik security advisory
Now router manufacturer MikroTik has published a security advisory for the Winbox vulnerability CVE-2018-14847. I came across the issue via the following tweet.
Winbox vulnerability CVE-2018-14847 was discovered in RouterOS on April 23, 2018 and has since been fixed. It should be noted that although Winbox was used as an attack point, the vulnerability was in RouterOS. The vulnerability allowed a special tool to connect to the Winbox port and request the system user database file. The following versions are affected:
Advertising
- All bug fix versions from 6.30.1 to 6.40.7, fixed in 6.40.8 on 04/23/2018.
- Affected all current releases from 6.29 to 6.42, fixed in 6.42.1 on 04/23/2018
- Affects all RC releases from 6.29rc1 to 6.43rc3, fixed in 6.43rc4 on 04/23/2018
So it's a vulnerability found three years ago and now long since fixed that is being used by the botnet to take over devices. Currently, there is no sure way to determine if a device is affected.
If the device's Winbox port is open to untrusted networks, the device is likely affected by the botnet. MikroTik's recommendation is to update the firmware, change the password and add a firewall according to MikroTik's policy. Administrators should make sure to change the password after an upgrade. More details can be read here.
