SafeUM
Home Blog Services Download Help About Recharge
EN
RU

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
EN
Lang
EN
RU
Archive
TOP Security!
12 Jan 2018

Tens of thousands of defaced MikroTik and Ubiquiti routers available online

Tens of thousands of MikroTik and Ubiquiti routers are currently available online, featuring alarmistic hostnames such as "HACKED FTP server," "HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED," or "HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD."

In reality, these devices have not been hacked, just defaced, and appear to be the subject of some prank of vigilante's actions. Attackers aren't taking over devices, but merely changing the devices' names (hostnames), as a warning for device owners, hoping that users will take action and secure their routers.

Spotted by Ankit Anubhav, Principal Researcher at NewSky Security, a cyber-security company specialized in IoT security, these benign hacks have been going on since last summer. Speaking to Bleeping Computer, Anubhav says he first spotted these defacements last July, when he found over 36,000 Ubiquiti routers with strange hostnames [1, 2, 3], a number that has grown to over 40,000. The hostnames of the defaced Ubiquiti routers are the same ones used in a 2016 campaign when hackers changed Ubiquiti router logins to username "mother" and password "fucker".

Last year's and the recent Ubiquiti defacements don't appear to change the user's password like in the 2016 campaign, but only the router's hostname. But the Ubiquiti attacks are well known by this point in time, at least in the infosec community. Less known are the recent attacks on MikroTik devices, spotted by Anubhav earlier this week.

Anubhav detected over 7,300 defaced routers, which is about 1.3% of all MikroTik devices available online. The attacks caused some initial panic because nobody knew how they were taking place. An initial analysis led Anubhav and fellow security researcher Dr. Vesselin Bontchev made both experts speculate the attacks were being carried out using an exploit included in the WikiLeaks Vault 7 files (documentation for CIA cyber-weapons).

Last year, a security researcher reverse-engineered this exploit — known as Chimay Red— and published the code on GitHub, forcing MikroTik to issue a firmware update. However, after taking a closer and longer look at the hacked devices, Anubhav noticed that some of the defaced devices were running firmware versions that had been patched against the Chimay Red exploit.

Default credentials are the most likely cause

Things cleared up when both Anubhav found users complaining on the MikroTik forums about defaced devices, admitting they were using default or no credentials. "Looks like somebody made a script that logs into unprotected devices and changes the identity name," said a MikroTik spokesperson. "[MikroTik] RouterOS devices do have a password and firewall by default, but many remove those for unknown reasons."

The vigilante prankster behind the MikroTik attacks could have done much more harm with such a script. Instead, he just opted to rename the router's FTP server hostname to "HACKED FTP server." We understand that running a secure home router is sometimes too difficult for users with no technical skills.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
information leaks DDoS Internet of Things
Source:
BleepingComputer
1292
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015