A Russian cyber vigilante is patching outdated MikroTik routers exposed online

A Russian-speaking hacker, who goes by the name of Alexey, claims to have hacked into over 100,000 MikroTik routers with a specific intent, disinfect them.

Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

In September thousands of unpatched MikroTik Routers were involved in new cryptocurrency mining campaigns.

Threat actors also exploited the exploit code for the CVE-2018-14847 vulnerability in MikroTik routers to recruit them in botnets such as Mirai and VPNFilter.

Alexey is a Russian-speaking cyber vigilante that decided to fix the MikroTik routers and he claims to be e system administrator.

Alexey described his activity on a Russian blogging platform, he explained he hacked into the routers to change settings and prevent further compromise.

“I added firewall rules that blocked access to the router from outside the local network,” Alexey wrote.

“In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.”

Alexey changed settings for over 100,000 users, but only 50 users contacted his via Telegram but of them were angry for the intrusion.

According to the researcher Troy Mursch, currently, there are over 420,000 MikroTik routers exposed only that have been abused in cryptocurrency-mining campaigns.

MikroTik routers continue to be under attack, and the situation is getting worse because of the availability of a new PoC code.

The new attack technique was recently discovered by experts at Tenable Research and it could be exploited by remote attackers to execute arbitrary code on the vulnerable devices.

The experts at Tenable Research presented the technique on October 7 at DerbyCon 8.0 during the talk “Bug Hunting in RouterOS” at Derbycon, it leverages a known directory traversal flaw tracked as CVE-2018-14847.

Just to be clear, despite Alexey has broken into the infected routers to sanitize them, this action is technically considered a cybercrime.

The bad aspect of the story is that even if security patches have been available for months, ISPs and owners of the home routers still have installed them.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MikroTik routers, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.