At STH, we review and use a fair number of MikroTik products. MikroTik is a Latvian based maker of some interesting SMB networking solutions. Recently, Radware showed that there is a worm impacting MikroTik RouterOS devices that appears to be spreading rapidly. The worm infects devices and creates a Botnet of RouterOS devices.

The MikroTik RouterOS Botnet Worm

The worm is targeting RouterOS devices via two primary methods after scanning for port 8291 which is primarily used by MikroTik devices. First, scanning for known vulnerabilities that are unpatched. Second, using brute force password attacks. These are particularly troublesome in the RouterOS scenario as many of these devices are connected to the Internet as routers. Also, many SMB service providers install them at customer sites. These customer site installations are not always patched immediately meaning that old vulnerabilities are often present.

From Radware on this issue:

“Preliminary analysis suggests that the botnet is exploiting known Mikrotik vulnerabilities (HTTP, SMB) as well as password brute-forcing. The worm has a highly efficient propagation mechanism by aggressively scanning for port 8291 in order to identify publicly available Mikrotik devices and using the password cracking capabilities to infect neighbor devices.”

Here is a link to the vulnerability and more details described by Radware.

This is a big deal since MikroTik also makes low cost, high throughput routers that implement features like BGP for smaller service providers. An example of that is the Cloud Core Router pictured in the cover image for this article. These routers are often connected to data center WAN uplinks. That practically means that if these routers are compromised, they can be used to launch DDoS attacks both from SMB network endpoints but also from data center WAN connections magnifying the pps and bandwidth capabilities of each endpoint. Whereas an IP camera vulnerability on a 11mbps WiFi uplink can be dangerous in quantity, a 72 core router with a 10Gbps uplink (or two) can sustain a higher DDoS rate as a botnet endpoint.

STH MikroTik Reviews

Here are a few of our MikroTik reviews which shows why they are popular in some segments of STH’s reader base.

We also have a review of the MikroTik CRS317-1G-16S+RM in the pipeline. Expect that one to come out soon. Newer firmware has gotten it to the point Patrick feels comfortable with us publishing a review.

Discuss this article and the vulnerability in the STH forums.