Another Day, Another IT Nightmare
MikroTik RouterOS has often been attacked, and once unwilling contributed to creating a record breaking botnet called Mēris. Their equipment running RouterOS, and including those using Winbox, need to patch immediately and there are almost one million of them out there. The bug allows someone with admin access to the network device to grant themselves SuperAdmin, which is an amusing name for the level of privilege given to low level software so it can make function calls and other basic tasks. A user with that much access could easily root the router or switch and make invisible changes to the OS as well as ensuring their activities cannot be monitored.
You might be wondering why this is so awful if you need to be an admin in order to exploit it; that reason is almost as bad as the bug. Not only does MikroTik’s RouterOS ship with a built in administrator account named the excessively obvious admin, until October 2021 it’s default password was blank. If you follow best practices and change or delete that account, RouterOS doesn’t have password complexity requirements so a lazy admin could use an easily guessable password. To make it even better, except for the SSH interface, RouterOS has absolutely no protections against brute force password guessing.
Patch ’em if you got ’em, and maybe consider tossing them and getting replacement network devices.
"'En masse' exploitation is going to be more difficult since valid credentials are required. However, as I outlined in the blog, the routers lack basic protections against password guessing," VulnCheck researcher Jacob Baines told BleepingComputer.