Hacker Alexey, who protects MikroTik routers without the permission of the owners, became famous

On Habré , they were told in detail about the CVE-2018-14847 vulnerability , which affects about 370 thousand MikroTik routers around the world (including 40 thousand in Russia) . In short, the vulnerability in MikroTik RouterOS allows, without special authorization, to read remotely any file from the router, including badly protected access passwords.

Although the patch was released very quickly in April, many router owners do not follow the updates. As a result, their devices remain vulnerable and are included in the IoT botnets used by intruders. Over the past few months, several cases have been registered where through vulnerable MikroTik routers installed Coinhive scripts for mining in the browser and configured DNS redirect to malicious sites . The situation worsened on October 5, when a new exploit called By The Way for CVE-2018-14847 was released.
')
But not all hackers are ready to use users' carelessness and make money on it. Some are trying to help. Recently, the popular Western publication ZDNet spoke about the "mysterious Russian-speaking hacker" who "hacks routers and patches them without the permission of users." In fact, we are talking about LMonoceros habrauser , which can now be considered a celebrity.

In his last article, Alexey said that he gets access to routers and makes changes to their settings in order to prevent further abuse.

Alexey works as a server administrator. Technically, his noble activities fall under several articles of the criminal code, so it would be prudent to maintain anonymity. But judging by this, he is not keen on this: as ZDNet writes, the specialist “boasted about his hobby on the Russian blog platform.” It is easy to guess that we are talking about the article “Why Mikrotik hackers and how I hid 100 thousand RouterOS from a botnet” , which LMonoceros published on Habré on September 27, 2018.


The distribution map of vulnerable devices as of September 2018, Illustration: Kaspersky Lab

Alexey says that by now the patch has already made 100 thousand vulnerable routers. “I added firewall rules that blocked access to a router not from a local network,” he wrote. “I wrote information about the vulnerability in the comments and left the address of the telegram channel @router_os where you can ask questions.” Instructions for configuring the firewall also previously published on Habré .


Apparently, this editing configs , which the administrator complained about, was made by another well-wisher. He does not write the address of the telegram channel, but indicates the number of the wallet

Note that today (October 15, 2018) there are already 1080 participants on RouterOs Security channel. They discuss the situation with the vulnerability of the “Mikrotik” every day.

MikroTik is one of the most popular brands of routers today. There are more than two million MikroTik routers operating around the world. According to some researchers, now more than 420 thousand of them are involved in IoT botnets and participate in mining.

Despite setting the firewall settings for more than 100,000 users, Alexey says that only 50 people applied via Telegram. Some said thank you, but most were outraged.

Technically illegal activity of Alexei is worthy of respect, but he is not the first who acts as nobly, reminds ZDNet . For example, in 2014, a hacker got access to thousands of ASUS routers and posted text warnings on computers with shared folders that were behind these routers, warning users about the need to close the vulnerability.

At the end of 2015, the White Team hacker group released a “malware” Linux.Wifatch , which covered security holes in various Linux-based routers. At some point, the White Team botnet became so big that it began to fight with the botnet of the infamous Lizard Squad group for the title of the largest botnet on the Internet.

Finally, quite recently, in 2018, an unknown hacker renamed tens of thousands of MikroTik and Ubiquiti routers in order to attract the attention of the owners to update their devices. The devices have received names like "HACKED FTP server", "HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED" and "HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD".

Despite the efforts of noble hackers, the security situation of IoT devices remains deplorable. But it's nice to realize that thanks to its useful activity, the Russian specialist LMonoceros has now really become famous.

New Year's ACTION GlobalSign: 50% DISCOUNT for Wildcard certificates.