CERT MW has been informed of an active attack targeting MikroTik RouterOS devices.Attackers are identifying these devices by scanning for public IP addresses running specific RouterOS ports and using older versions of the operating system. Once the vulnerability is exploited, malware is downloaded to the compromised devices.
The device is then being used to scan for other IP addresses and spread.
CERT MW is aware that this attack is active. We strongly recommend investigating and patching any RouterOS devices on your network as soon as possible to prevent them from being compromised.

Systems affected

MikroTik RouterOS devices that are internet-accessible/have public IP addresses are affected by this vulnerability. These devices can be identified in a number of ways, including checking for devices running Winbox (8291) which is a MikroTik-specific port.
Exploiting this vulnerability requires the devices to be unpatched. It is prudent to work on the basis that all MikroTik RouterOS devices are vulnerable if they are running versions older than 6.41.3.
MikroTik RouterOS devices that are running versions older than 6.41.3 should be patched immediately and the passwords for all user accounts should be changed. Logs should be reviewed to identify any suspicious activity, such as connections to unknown IPs.
Read details about this vulnerability on the MikroTik website

What this means

All affected devices need to be patched to version 6.41.3 to prevent the device from being compromised.

How to tell if you’re at risk

If you are using a MikroTik RouterOS device you are at risk of being compromised.
This device may be provided by your internet service provider (ISP).

Mitigation

Ensure that any MikroTik RouterOS devices are patched to version 6.41.3.
If these devices cannot be patched, the use of the devices should be re-considered as there are no other controls to prevent this vulnerability.
Configure the device using the vendor’s recommended practices.
Read MikroTik’s patch documentation and access the patch files. External Link
Read MikroTik’s configuration recommendations.