Security News > 2021 > December > How MikroTik Routers Became a Cybercriminal Target

Due to the sheer number of devices in use, their high power and numerous known vulnerabilities within them, threat actors have been using MikroTik devices for years as the command center from which to launch numerous attacks, researchers said.

Eclypsium researchers began exploring the how and why of the weaponization of MikroTik devices in September, based on previous research into how TrickBot threat actors used compromised routers as command-and-control infrastructure.

In addition to their power, one of the chief reasons MikroTik devices are so popular with attackers is that they are, like many SOHO and IoT devices, vulnerable out of the box.

MikroTik devices often miss out on important firmware patches because their auto-upgrade feature is rarely turned on, "Meaning that many devices are simply never updated," according to Eclypsium.

"These devices are both powerful, and as our research shows, often highly vulnerable," they noted, adding that MikroTik devices, in addition to serving SOHO environments, are regularly used by local Wi-Fi networks, which also attracts attention from attackers, they wrote.

Eclypsium has created a freely available tool that could allow network administrators to test their devices' vulnerability, in three ways: Identify MikroTik devices with CVEs that would allow the device to be taken over; attempt to log in with a given list of default credentials; and check for indicators of compromise of the Mēris botnet.

News URL

https://threatpost.com/mikrotik-routers-cybercriminal-target/176894/