Hundreds of thousands of routers produced by a Latvian network hardware firm MikroTik are still vulnerable to at least one of four vulnerabilities that are over a year old. These vulnerabilities are most likely being used by attackers as their operational infrastructure. Approximately 94% of the 2 million routers deployed in small-office and home-office settings have the management interface, Winbox, exposed to the internet. This is not the default setting, implying that customers are either willingly undermining the security of their devices or the devices have been compromised.
Scott Scheferman, a cyber strategist at Eclypsium claims the devices are so complex most home users wouldn’t be able to configure the settings to expose Winbox to the internet. Several takedowns of attackers have shown a strategy of using MikroTik routers to recover from the disruption caused by a takedown. The extent of the current vulnerabilities in the MikroTik routers are not clear. There are four known, two disclosed in 2019 and two in 2018, that can be exploited on unpatched routers. Closing the old vulnerability does not immediately protect these routers.
Read more: Lack of Patching Leaves 300,000 Routers at Risk for Attack