We’ve had a handful of customer routers leased from us that we somehow weren’t billing for, and therefore were off our radar and not getting updated. Until recently, we would be able to log into the hacked router remotely, remove the SOCKS proxy and a few other items, update the firmware, and all was good. There might have been a second admin account added, but we could just delete it.
More recently, we’ve found a few that we’ve been locked out of, our login credentials don’t work. We still have SNMP read access, and can see that the firmware has been updated. Maybe it’s the guy in the article. If so, I don’t think he’s doing us any favors. Basically we end up shipping the customer a whole new router, because it’s simpler than picking up the old one, bringing it back and doing a netinstall (once it’s been hacked this bad I don’t trust any other method), then configuring it and getting it back to the customer. So all this guy is doing is costing us a bunch of money replacing routers. I don’t like the vigilante’s assumption that the fix is to firewall the router so only the customer can manage it, that’s not helpful if the customer expects the ISP to be able to access the router. The article says he is installing firewall rules, but what I’m seeing is credentials changed, so maybe there’s more than one vigilante? I also think the description of what the hacked routers is being used for is not correct, at least that’s not what I’ve seen on our customer routers that have been hacked. I haven’t seen any evidence of cryptocurrency mining or DNS redirection. I think they are being used as proxy servers to stream video from the US to other countries. That would explain the SOCKS proxy and the upstream traffic around what a Netflix or Hulu stream would use. From: AF <[email protected]> On Behalf Of Eric Muehleisen Sent: Monday, October 15, 2018 9:48 AM To: [email protected] Subject: [AFMUG] A mysterious grey-hat is patching people's outdated MikroTik routers https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/ Alright! Which one of you guys is this?
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
