Many of you have asked, what is this Mēris botnet that some news outlets are discussing right now, and if there is any new vulnerability in RouterOS.
As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched.
Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.
We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.
As far as we know right now - There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several contractors.
If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you, especially if this configuration APPEARED NOW, RECENTLY, WHILE RUNNING A NEW ROUTEROS RELEASE: Please contact us immediately.
More specifically, we suggest to disable SOCKS and look in the System -> Scheduler menu. Disable all rules you can't identify. By default, there should be no Scheduler rules, and SOCKS should be off.
A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year, the new attack method found by Tenable Research exploits the same vulnerability, but takes it to one step ahead.
Since the original Winbox issue, identified as CVE-2018-14847, was already patched back in April, we urge all MikroTik users to upgrade their devices to any recently released version, and as a precaution also change their passwords and inspect their configuration for unknown entries.
Please note that all of the recently released CVE entries have been fixed in RouterOS for several months, none of the newly discussed issues affect current products. More information from Tenable. Original post about the fixed issue, later called CVE-2018-14847, including more suggestions.
In short:
Regardless of version used, all RouterOS versions that have the default firewall enabled, are not vulnerable
If user has manually disabled the default firewall, their device might be vulnerable to CVE-2018-14847, which was patched in April
Newly revealed exploit relies on the above, already patched issue
Please upgrade, change password and inspect configuration for irregularities
Тоже 28 числа получил подобный майл. Сменил пароль, и вот буквально в ночь с 6 на 7 ноября, с моего акканунта полетели два спам твита. Как потом выяснил пароль утек с помощью приложения на FB, которое делает перепост твитов в FB.
[14:28:17] Олег [Lifz]: алелуя)
[14:28:39] Олег [Lifz]: и в чем же проблема была?
[14:28:44] человек из скайпа: да пид****ы
[14:28:49] человек из скайпа: на те же грабли
Добро пожаловать в Ригу.
мой 7+ не превратился
Заявление от MikroTik:
Many of you have asked, what is this Mēris botnet that some news outlets are discussing right now, and if there is any new vulnerability in RouterOS.
As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched.
Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.
We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.
As far as we know right now - There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several contractors.
If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you, especially if this configuration APPEARED NOW, RECENTLY, WHILE RUNNING A NEW ROUTEROS RELEASE: Please contact us immediately.
More specifically, we suggest to disable SOCKS and look in the System -> Scheduler menu. Disable all rules you can't identify. By default, there should be no Scheduler rules, and SOCKS should be off.
— работаю в MT.
Бла, бла, бла — извиняемся, но мы не можем вам выслать диск, но вы можете скачать архив по такой то ссылке.
“Download a copy of your Facebook data” at the link below:
https://www.facebook.com/settings"
[14:28:39] Олег [Lifz]: и в чем же проблема была?
[14:28:44] человек из скайпа: да пид****ы
[14:28:49] человек из скайпа: на те же грабли
Общаюсь сейчас с одним через фбовский чат, толком не чего сказать не может.