Mikrotik routers, which do not have hundreds of thousands of security updates, are used by many attackers worldwide and are used primarily for cryptocurrency mining, advertising services, tunneling and various file transfer services.

The related vulnerability is caused by an application communicating with the device's winbox port and reaching the RouterOS user database. No password test error appears on the device during the related query. It can be connected to the device after the passwords are clearly visible after the related query. Only the remote IP number or MAC address of the connected device appears on the log screen. If the entry and exit records of the device are not logged to a remote device, this information is not available when the device is turned off and on.

All devices with RouterOS version 6.42 and below have the relevant vulnerability. This deficit was detected in April 2018 and the update file was published. However, due to the fact that there are no updates on hundreds of thousands of Mikrotik routers, the vulnerability continues.

Poyraz Network Mikrotik in use in Turkey as Turkey distributor 15 million IP addresses to devices that do not currently detect security updates by signing port-based scanning provides information to the user information by calling the phone if it arrives within Mikrotik device. If there is no user information in the Mikrotik device, it leaves a warning text.

Poyraz Network, which has completed 15 million IP scans so far, warns those who are concerned about the deficit in its over 15,000 Mikrotik devices, including internet service providers, public institutions, private sector organizations, hotels, hospitals, dormitories, intercity and city bus companies and end users. has given the information and continues to give.

Well, have you been affected by the attacks?

First of all, if you cannot enter your device with the passwords you previously defined, it has been changed by others most likely. Some attackers may have defined different passwords as standard. We transmit the device passwords we encounter below. You can control it.

In the checks we have made on the devices that have been attacked, we will list the main regulations you need to control;

1- Check if there is any user other than your knowledge in System -> Users tab.

2- Check if the "Allow Remote Requests" feature in the IP-> DNS tab is active without your knowledge.

3-Check the DNS addresses in the Servers section in the IP-> DNS tab.

4- Check for any unfamiliar redirects within the Static button in the IP-> DNS tab.

5- Check if the settings in the IP-> Socks tab are active without your knowledge.

6- Check if there is an unfamiliar address in the Access button in the IP-> Socks tab.

7- Check if there is an unfamiliar rule in the Filter Rules, NAT, Mangle, Address Lists and Layer 7 Protocols tabs in the IP-> Firewall tab.

8- Check if the settings in the IP-> Web Proxy tab are active without your knowledge.

9- In the PPP section, check users who are not familiar with the Secret tab.

10- Check whether the PPTP Server, SSTP Server, L2TP Server and OVPN Server settings under the Interface tab in the PPP section are active without your knowledge.

11- In the Interfaces section, check if the record has been entered without your knowledge in the EoIP Tunnel, IP Tunnel, GRE Tunnel tabs.

12- Check if the ports in IP-> Services are activated without your knowledge.

13- Check if IP-> uPnP tab is activated without your knowledge and whether it is activated without your knowledge in the interface section on the relevant screen.

14- In the System-> Scheduler tab, check if the timer has been entered without your knowledge.

15- Check if a record has been entered without your knowledge within the System-> Scripts tab.

16- Check if there is any file included in the files without your knowledge.

17- Check if a record has been entered in Radius without your knowledge.

18- In the Tools-> Netwatch tab, check if a record has been entered without your knowledge.

19- In the IP-> Cloud tab, check if the settings are activated without your knowledge.

Note: On the New Terminal screen, type export and enter enter and examine all settings.

So how can I be protected from attacks?

1- After selecting Channel: current in System-> Packages-> Check For Updates tab. Download & Install and wait for the device to reboot.

2- Create a unique password for all users in System-> Users including old passwords.

3- Disable the unused services (telnet, ftp, ssh, www, api) in IP-> Services. Create approved IP addresses for the services you use. Establish secure IP addresses, especially for the winbox port.

Special for Internet Service Providers

First of all, keep in mind that the attack can be done not only outsourced but also internally. İYou should keep in mind that anyone who can connect to AP (Transmitter) devices with the relevant attack application can get their device passwords, then access all your network devices if the redirects are turned on, get their passwords on these devices and change or reset their device settings.

1- You should not only update the router or customer devices with an external IP address, but leave the others under 6.42 version. You should pull all Mikrotik routers in your network to the current version.

2- On the Router, AP and End-user devices, set the Interface setting to None within the Discovery Settings button on the IP-> Neighbor tab.

3- Especially when setting passwords on your Router devices, include ascii characters.

Resources;

For Mikrotik official warning letter: https://blog.mikrotik.com/security/winbox-vulnerability.html
Mikrotik router for safety advice : https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router