A couple weeks ago I mentioned that I was in the process of researching vulnerabilities that are being actively targeted on MikroTik devices. This is part one of a four part blog series surrounding this research project, and the scope of the vulnerability’s potential impact.

Today’s agenda – covering the basics:

  • What are MikroTik’s and why am I talking about them?
  • What is the vulnerability that lead to this research project?
  • What steps can be taken to mitigate these vulnerabilities?

What are MikroTiks and Why Should I care?

To set some background, MikroTik is a brand of networking equipment primarily used by Wireless Internet Service Providers (WISPs). Per their website, “MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems.” (https://mikrotik.com/about-us).

For those of you who do not know me personally, I am a big fan and advocate for MikroTik devices for a wide range of reasons.

  1. They are extremely customizable. In any MikroTik router, you can configure the ports, VLANs, routes, VPNs, and firewall policies however you wish. As I will discuss in point two, they are extremely cheap considering they have almost all of the capabilities that the heavy hitters in the industry such as Cisco, Juniper, etc have. This means they have enterprise/carrier capabilities at a competitive price.
  2. They are extremely cheap. You can get a fully capable, though not very scalable, MikroTik router for around $50. This point is a double edged sword because this means they are just as affordable as any general consumer grade router, but with significantly more capabilities. This means if a general consumer purchases one without understanding how to properly secure the device, they are exposing themselves in a much greater capacity than if they had just purchased a Linksys or Netgear router. That being said, cheaper is always better for those of us in the industry that are just trying to make an elaborate home network or a testing lab.
  3. The syntax is the same regardless of if you are using the $50 model or the $3000 model. Having worked on a wide variety of different brands of equipment in my career, this one is very important to me. The layout of the GUI and the syntax of the CLI for MikroTiks has been the same for at least as far back as version 5.0 of RouterOS. This makes scripting, configuration, and administration so much more efficient. An example of how this is not always the same across platforms, Juniper for example (I am a huge fan of Juniper as well, but for different reasons), has their edge series of switches, the EX series. The syntax, and to some points functionality even, of an EX2200 is VERY different from that of an EX2300.
  4. There is no additional licensing required for advanced/dynamic routing protocols such as OSPF or BGP. Many of the heavy hitters require additional licensing to perform advanced routing and utilize other features. This makes their already large price tag even more significant.

Slingshot and the Chimay-Red Exploit

In February-March of this year, Kaspersky Lab shed some light on the Slingshot “cyber-espionage” group and their activities. One of these activities was compromising MikroTik routers, most likely using the Chimay-Red exploit from the Vault 7 leaks. The Chimay-Red exploit should only be a threat to outdated MikroTik devices as it is supposedly fixed with version 6.38.5. What’s new in 6.38.5 (2017-Mar-09 11:32):

!) www – fixed http server vulnerability; https://mikrotik.com/download/changelogs/current-release-tree

It should be noted, that at the time of this writing (April 10, 2018) the current version of RouterOS is 6.41.4. In part 2, I will be discussing the attacks used by Slingshot APT, and the Chimay- Red exploit in further detail. There is also a resurfacing of the Hajime Botnet that is actively exploiting this vulnerability, which we will also discuss. Hajime is also taking advantage of another more recent exploit which is a buffer over�ow in MikroTik’s implementation of SMB. Lastly in part 2, I will discuss the potential impact based on the number of possibly vulnerable devices currently exposed to the Internet.

Mitigation and Remediation

Lastly there is mitigation and remediation. While the security side of MikroTiks is something I plan do do more detailed articles on in the future, in part 3, I will cover some basics of how you can mitigate these current vulnerabilities, and what to do if you believe you have been impacted by them.