A Russian-speaking grey-hat hacker is breaking into people’s MikroTik routers and patching devices so they can’t be abused by cryptojackers, botnet herders, or other cyber-criminals.
The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
Alexey has not been trying to hide his actions and has boasted about his hobby on a Russian blogging platform. He says he accesses routers and makes changes to their settings to prevent further abuse.
“I added firewall rules that blocked access to the router from outside the local network,” Alexey said. “In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.”
But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said “thanks,” but most were outraged.
The vigilante server administrator says he’s been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April. At the time, the vulnerability (known as CVE-2018-14847) was a zero-day, but MikroTik rolled out a fix in record time. Nonetheless, cyber-criminals quickly jumped on board to exploit the flaw.
CVE-2018-14847 is a very convenient vulnerability because it allows an attacker to bypass authentication and download the user database file. Attackers decrypt this file and then use one of the username & password combos to log into a remote device and make OS settings and run various scripts.
For the past five and a half months, the vulnerability has been mainly used to plant cryptojacking scripts on outdated MikroTik routers and to hijack DNS servers and later redirect user traffic towards malicious sites.This wouldn’t be an issue, but MikroTik is one of today’s most popular router brand. There are over two million MikroTik routers around the globe.
Alexey’s vigilante spree may be illegal, but he is definitely not the first.
In 2014, a hacker accessed thousands of ASUS routers and planted text warnings inside computers with shared folders and hard drives that were located behind those routers, warning users to patch their ASUS device.
In late 2015, a team of vigilante hackers going by the name of the White Team launched the Linux.Wifatch malware that closed security holes on a variety of Linux-based routers. At one point, the White Team’s botnet became so big it battled with the botnet of the infamous Lizard Squad team for the title of the Internet’s largest botnet.
Also in 2017, a hacker made over 150,000 printers spew out a message to their owners to raise everyone’s awareness about the danger of leaving printers exposed online.
In 2018, another vigilante renamed tens of thousands of MikroTik and Ubiquiti routers to “HACKED” and other messages to get owners’ attention to update their devices.