A mysterious grey-hat is patching people's outdated MikroTik routers

Authored by zdnet.com and submitted by KabyDep

A Russian-speaking grey-hat hacker is breaking into people's MikroTik routers and patching devices so they can't be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned.

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.

Alexey has not been trying to hide his actions and has boasted about his hobby on a Russian blogging platform. He says he accesses routers and makes changes to their settings to prevent further abuse.

"I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions."

But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged.

The vigilante server administrator says he's been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April.

At the time, the vulnerability (known as CVE-2018-14847) was a zero-day, but MikroTik rolled out a fix in record time. Nonetheless, cyber-criminals quickly jumped on board to exploit the flaw.

CVE-2018-14847 is a very convenient vulnerability because it allows an attacker to bypass authentication and download the user database file. Attackers decrypt this file and then use one of the username & password combos to log into a remote device and make OS settings and run various scripts.

For the past five and a half months, the vulnerability has been mainly used to plant cryptojacking scripts on outdated MikroTik routers [1, 2] and to hijack DNS servers and later redirect user traffic towards malicious sites [1, 2].

This wouldn't be an issue, but MikroTik is one of today's most popular router brand. There are over two million MikroTik routers around the globe.

Security researcher Troy Mursch told ZDNet today that of the millions of MikroTik routers currently connected to the Internet, over 420,000 show signs they've been infected with cryptocurrency-mining scripts.

Speaking to ZDNet today, Ankit Anubhav, a security researcher for NewSky Security, has also indicated that DDoS botnet authors have also been trying to infect and corral these devices under their control, but failing.

"The usual IoT blackhat botnet factory is basically clueless about the exploit, and how it can be deployed for a proper functioning botnet," Anubhav said.

Instead, he says the people placing cryptocurrency-mining scripts on the devices are far more adept at hijacking the vulnerable routers. Anubhav speculated that this looks to be the "work of a knowledgeable lone actor."

Things became even worse for the MikroTik community this past week after Tenable researchers released a new exploit named "By The Way" for the original CVE-2018-14847 vulnerability. This spurred new interest from the botnet community.

But the reason why Alexey was able to "clean" over 100,000 routers is because none of the hacker groups currently abusing MikroTik routers appear to perform basic hygiene.

"The attackers are not closing [device ports] or patching the devices, so anyone who wants to further mess with these routers, can," Anubhav told ZDNet.

Fortunately, Alexey has been doing this clean-up on some users's behalf. But technically speaking, Alexey is on the wrong side of the law. Despite his good intentions, it is illegal to access another person or organization's equipment without consent.

Alexey's vigilante spree may be illegal, but he is definitely not the first.

In 2014, a hacker accessed thousands of ASUS routers and planted text warnings inside computers with shared folders and hard drives that were located behind those routers, warning users to patch their ASUS device.

In late 2015, a team of vigilante hackers going by the name of the White Team launched the Linux.Wifatch malware that closed security holes on a variety of Linux-based routers. At one point, the White Team's botnet became so big it battled with the botnet of the infamous Lizard Squad team for the title of the Internet's largest botnet.

In 2017, a more devious vigilante hacker named The Janit0r deployed the BrickerBot malware that erased firmware or bricked IoT devices that had not been updated.

Also in 2017, a hacker made over 150,000 printers spew out a message to their owners to raise everyone's awareness about the danger of leaving printers exposed online.

In 2018, another vigilante renamed tens of thousands of MikroTik and Ubiquiti routers to "HACKED" and other messages to get owners' attention to update their devices.

Mursch told ZDNet that he doesn't believe the MikroTik situation will get better any time soon.

"Rebooting grandma's router won't fix this," he said. "Remediation efforts must be done by the service providers."

The reason is that many of these devices are not routers placed inside users' homes, but are so-called "edge" devices, often part of an ISP's internal infrastructure, such as routers placed in ISP boxes left inside apartment complexes or on street poles.

Another source in the infosec community who spoke to ZDNet but did not want his name shared for this story confirmed that Alexey's vigilante efforts have also touched edge routers, not only those found in people's homes.

"Ironically, by cleaning some ISP routers he might get the ISPs to act and fix everyone's routers as well," the unnamed researcher told us.

As for MikroTik, the Latvian company has been one of the most responsive vendors in terms of security flaws, fixing issues within hours or days, compared to the months that some other router vendors tend to take. It would be unfair to blame this situation on them. Patches have been available for months, but, yet again, it is ISPs and home users who are failing to take advantage of them.

sturnus-vulgaris on October 15th, 2018 at 17:11 UTC »

Police, I'd like to report a break-in.

Was anything taken?

No, no. They just installed window locks, a deadbolt, and left a note explaining what they did and where I could get more information on home security.

TooShiftyForYou on October 15th, 2018 at 17:05 UTC »

"I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions."

Good guy Russian hacker.

Dv02 on October 15th, 2018 at 15:55 UTC »

Chaotic Good.