Mikrotik has been a world-class provider of cheap, popular and flexible network equipment for several years, but sometimes these advantages become a major security vulnerability in this popular product.
According to Mikrotik Company, a newly discovered botnet targets outbound winbox connections to penetrate Mikrotik devices. It can cause problems such as DDoS attacks, accessing internal network data, DNS hijacking, and so on. These may cause bandwidth congestion, increasing data usage, speed drop, and serious security problems on the user’s service.
To resolve this problem, the following steps should be taken:
- Update all RouterOS versions to the latest version available on Mikrotik website
- Affected versions:
- All bugfix releases from 30.1 to 6.40.7, fixed in 6.40.8 on 2018-Apr-23
- All current releases from 6.29 to 6.42, fixed in 42.1 on 2018-Apr-23
- All RC releases from 29rc1 to 6.43rc3, fixed in 6.43rc4 on 2018-Apr-23
- Change the password to more complex passwords
- Retrieve previous backup settings and delete any new and unknown settings, especially in SOCKS, Scripts, Scheduler, WebProxy and PPTP Server sections, and additional users in Radius section.
- Clear non-user-specific files or files not related to Mikrotik (including Mikrotik.php and autosupout.rif) in the Files section
- Change the default ports like Winbox or Webfig or any other ports that the Internet requires
- Apply Firewall settings using Mikrotik guide