How to protect your mikrotik routeros
![how to protect your mikrotik routeros how to protect your mikrotik routeros](https://miro.medium.com/max/1124/1*3Ya0HoOgmxoTnVAkla84cA.png)
For instance, a hacking group was found peddling Monero-mining malware that targets IoT devices. Given the popularity of cryptocurrency mining, it’s no surprise that threat actors are joining the bandwagon. Default credentials are then used to try to hijack them. Trend Micro researchers also uncovered Mirai-like activities that scan for vulnerable internet-of-things (IoT) devices such as routers, IP cameras, and digital video recorders (DVRs). MikroTik routers were also compromised as part of the Operation Slingshot cyberespionage campaign, which used them to gain a foothold into the systems of their targets of interest. Vulnerabilities in MikroTik RouterOS-based devices were also exploited to add them to a botnet. This was seen as the hacker's attempt to evade detection.
HOW TO PROTECT YOUR MIKROTIK ROUTEROS UPDATE
The malicious script modifies system settings, enables proxy, schedules tasks to update itself, and creates a backdoor. Researchers also identified a script used for when the attacker finds a new, vulnerable router. The malicious Coinhive script is now just injected in error pages returned by the router to keep a low profile.
![how to protect your mikrotik routeros how to protect your mikrotik routeros](https://i.ytimg.com/vi/VhOgzs8prrE/maxresdefault.jpg)
![how to protect your mikrotik routeros how to protect your mikrotik routeros](https://jcutrer.com/wp-content/uploads/2020/05/mikrotik-upgrade-6.47.png)
Given the heavy performance issues and increased network traffic malicious cryptocurrency mining can cause, the campaign’s operators realized that the attacks drew the attention of ISPs and security researchers and shifted tactics. The user can still be affected even if connected to the vulnerable router’s wireless network. Successfully exploiting the vulnerability grants the attacker unauthorized admin access to devices, allowing them to inject a malicious version of Coinhive script into every webpage that users visit. Successfully exploiting the vulnerability would let attackers use tools that can connect to the Winbox port (8291) and “request access system user database files.” Winbox enables users to remotely configure their devices online. The vulnerability, which doesn’t have the typical CVE identifier, was disclosed in April 2018 and accordingly patched. The cryptojacking campaign exploits a security flaw in Winbox, a remote management service bundled in MikroTik routers’ operating system, RouterOS. What vulnerability did this cryptojacking campaign exploit? In fact, researchers saw cases where non-MikroTik routers were also affected, most likely because the internet service providers (ISPs) in Brazil use MikroTik routers in their main networks. This indicates that users or organizations using a vulnerable MikroTik router are susceptible to cryptojacking.
![how to protect your mikrotik routeros how to protect your mikrotik routeros](https://documents.trendmicro.com/images/TEx/articles/20180416042948908-405-mqdhayf-800.jpg)
While the majority of the routers were in Brazil, researchers also noted that the attacks are now also spreading outside the country. As of this writing, over 200,000 MikroTik routers have already been compromised. The initial phase of the cryptojacking campaign reportedly hacked 72,000 MikroTik routers in Brazil. Here’s what you need to know about this threat: What happened? Security researchers uncovered a cryptojacking campaign - where attackers hijack systems to conduct cryptocurrency mining - that injects a malicious version of Coinhive, a web-based cryptocurrency miner, by exploiting a vulnerability in MikroTik routers.