{"id":5520,"date":"2018-04-26T00:56:00","date_gmt":"2018-04-25T22:56:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=5520"},"modified":"2018-04-25T22:56:38","modified_gmt":"2018-04-25T20:56:38","slug":"patch-your-mikrotik-routers-there-are-attacks-in-the-wild","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/04\/26\/patch-your-mikrotik-routers-there-are-attacks-in-the-wild\/","title":{"rendered":"Patch your MikroTik routers, there are attacks in the wild"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/04\/25\/mikrotik-router-patchen-angriffe-erfolgen\/\" target=\"_blank\">German<\/a>]Users of micro-routers should urgently update their firmware. Because a vulnerability that became known two days ago is already being exploited for attacks. <\/p>\n<p><!--more--><\/p>\n<h2>Vulnerability known, update available<\/h2>\n<p>Two days ago Mikrotik released a Security Advisory <a href=\"https:\/\/forum.mikrotik.com\/viewtopic.php?f=21&amp;t=133533&amp;sid=08ddc814f514ea46269142f457d29040\" target=\"_blank\">Vulnerability exploiting the Winbox port<\/a> (see also my German blog post <a href=\"https:\/\/www.borncity.com\/blog\/2018\/04\/23\/mikrotik-router-sicherheitslcke-im-winbox-port\/\">Mikrotik-Router: Sicherheitsl\u00fccke im Winbox-Port<\/a> about this vulnerability). <\/p>\n<p>The vulnerability was discovered by Mikrotik and affects all RouterOS versions from v6.29 to.43rc3. The vulnerability allowed a special tool to connect to the Winbox port and request the system user's database file.<\/p>\n<p><img decoding=\"async\" title=\"MikroTik-Router \" alt=\"MikroTik-Router \" src=\"https:\/\/i.imgur.com\/HC4H1OS.jpg\"><\/p>\n<p>The manufacturer has already released the router OS versions v6.42.1 and v6.43rc4 on April 23, 2018, which close this vulnerability. <\/p>\n<p><a href=\"https:\/\/mikrotik.com\/download\" target=\"_blank\">Download<\/a><\/p>\n<h2>First attacks observed<\/h2>\n<p>Bleeping Computer reported <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/mikrotik-patches-zero-day-flaw-under-attack-in-record-time\/\" target=\"_blank\">here<\/a> that exactly this vulnerability is already being exploited. According to a Czech forum, a zero-day exploit was discovered with which the user database can be read.&nbsp; <\/p>\n<p><a href=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/986406\/attacks\/Zero-Days\/WinBox-attacks.PNG\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" title=\"Logs des Routers\" alt=\"Logs des Routers\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/986406\/attacks\/Zero-Days\/WinBox-attacks.PNG\" width=\"610\" height=\"340\"><\/a><br \/>(Source: Bleeping Computer)<\/p>\n<p>If the attacker succeeds in accessing the user data and decrypting the data, he can then log into the system via the web interface of the router. The hacks followed a similar pattern. The attacker produces two failed Winbox logon attempts and one successful login (screenshot above). Then he changes some services in the router and logs off to come back a few hours later.<\/p>\n<p>All attacks were conducted using Winbox, a remote management service MikroTik offers with its routers to allow users to configure devices over a network or the Internet. The Winbox service (port 8291) is delivered with all MikroTik devices by default.<\/p>\n<h2>Zero-Day was not used on a massive scale<\/h2>\n<p>The good news is that so far all attacks have only been performed from one IP address, indicating that this was the work of a single hacker. The IP address 103.1.221.39 of the attacker, which all attacked users reported, was assigned in Taiwan.<\/p>\n<p>However, you should update immediately and change the login passwords for the router access as a precaution. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Users of micro-routers should urgently update their firmware. Because a vulnerability that became known two days ago is already being exploited for attacks.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[448,580],"tags":[587,69,195],"class_list":["post-5520","post","type-post","status-publish","format-standard","hentry","category-devices","category-security","tag-router","tag-security","tag-update"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/5520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=5520"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/5520\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=5520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=5520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=5520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}