Nearly 1 million MikroTik devices at risk of Super Admin elevation flaw

Researchers have discovered a critical severity flaw that puts 926,000 MikroTik RouterOS routers at risk of being completely taken over by threat actors.

The vulnerability, designated CVE-2023-30799, affects RouterOS versions earlier than v6.49.7 Stable and v6.49.8 Long-term, allowing remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface.

Super-admin privileges are normally only given to specific parts of the OS’s underlying software. This makes the vulnerability very valuable to threat actors seeking to "jailbreak" the router and make significant changes to its configuration and functionality to suit their unique purposes.

Identify, measure, and reduce your risk with a personalized attack surface report.

Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.

Try it free

Although a valid admin account on the router is required to exploit the vulnerability, MikroTik routers are notorious for being easy to hack since they use “admin” as the username by default.

Furthermore, MikroTik routers aren’t equipped with any controls to detect and prevent brute-force password attacks. Attackers can simply use services like Shodan to find MikroTik devices hosted in countries of their choosing, then use one of the many publicly available brute-forcing tools to gain access.

Source: Bleeping Computer

Analysis

MikroTik routers have been a favourite of threat actors for many years due to their wide deployment and ease of compromise via various vulnerabilities and published proof of concept codes. Additionally, most MikroTik routers run open proxies and DNS servers by default, which are used by multiple threat actors to conduct DDoS attacks and other malicious activities.

For example, in 2022, a Russian state-sponsored botnet called Zhadnost used thousands of MikroTik routers to conduct DDoS attacks on the Ukrainian government and financial institutions. In another example, a 2019 cybercrime campaign exploited vulnerabilities in MikroTik routers to propagate laterally, and ultimately use Glupteba malware to drop cryptocurrency miners on victims' machines.

Further to being plentiful and easy to compromise, MikroTik routers have a very slow patching cadence as many users “set it and forget it”, choosing not or forgetting to patch their systems. The routers do not have an auto-update feature and MikroTik does not push updates to its user’s devices. This highly reduces the effectiveness of patching, much to the delight of threat actors.

Scan for MikroTik devices running one vulnerable version (6.48.6) of RouterOS Source: Shodan.io

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for vulnerabilities discovered in devices such as MikroTik routers. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users are automatically notified when vulnerable devices are detected in their environment and are encouraged to review these AROs as quickly as possible.

Field Effect recommends that organizations patch MikroTik devices as soon as possible. We also encourage users to disable MikroTik’s open proxy function and configure the DNS server to only accept internal requests.

References

• Glupteba Campaign that exploits MikroTik routers still at large
• Zhadnost Strikes again…this time in Finland
• A brief history of the Meris botnet