VPNfilter official statement

Thu May 24, 2018 8:24 am

Cisco informed us on May 22nd of 2018, that a malicious tool was found on several manufacturer devices, including three devices made by MikroTik. We are highly certain that this malware was installed on these devices through a vulnerability in MikroTik RouterOS software, which was already patched by MikroTik in March 2017*. Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability. Let us know if you need more details. Upgrading RouterOS is done by a few clicks and takes only a minute.

To be safe against any kinds of attacks, make sure you secure access to your devices:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

P.S: The name VPNfilter is only a code name of the malware that was found (more specifically, a fake executable name). The modus operandi of this tool has no relation to VPN tunnels. In basic terms, the malware could either sniff certain types of traffic and send it somewhere, or destroy the routers.

*: viewtopic.php?f=21&t=132499

DhrSoulslayer · Thu May 24, 2018 9:55 am

Thanks for the heads-up.

Is there a specific version from which this malware is able to infect a mikrotik?
How about RouterOS 5.22 for example or 6.27?

Thu May 24, 2018 9:57 am

Thanks for the heads-up.

Is there a specific version from which this malware is able to infect a mikrotik?
How about RouterOS 5.22 for example or 6.27?

The vulnerability in question was fixed in March 2017:

Current release chain:
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;

And also Bugfix release chain:
What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;

ITDave · Thu May 24, 2018 10:20 am

Hi Normis,

Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. What’s your take on this article??
https://www.itnews.com.au/news/hackers- ... ces-491582

Thu May 24, 2018 10:31 am

Hi Normis,

Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. What’s your take on this article??
https://www.itnews.com.au/news/hackers- ... ces-491582

please read the first post in this thread.

levicki · Thu May 24, 2018 10:32 am

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.

Thu May 24, 2018 10:33 am

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.

We do have in-depth analysis materials from the Cisco Talos team. They also said they think it is using the same vulnerability that was pubished/known. We also have conducted a thorough code review after the previous vulnerability.

levicki · Thu May 24, 2018 10:41 am

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.
We do have in-depth analysis materials from the Cisco Talos team. They also said they think it is using the same vulnerability that was pubished/known. We also have conducted a thorough code review after the previous vulnerability.

Thanks for the quick response, that is good to know and quite reassuring.

UPDATE:
FBI has seized and sinkholed toknowall.com domain, here is a copy of an affidavit (PDF).

djdrastic · Thu May 24, 2018 12:51 pm

Thanks for the prompt response Normis.

I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?

Thu May 24, 2018 12:56 pm

Thanks for the prompt response Normis.

I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?

Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vunlerability that was fixed in march 2017 was only affecting you, if the www port 80 (webfig) was open to untrusted networks.

Thu May 24, 2018 1:51 pm

Normis, do not citate the previous post.

gmsmstr · Thu May 24, 2018 3:52 pm

As always, great job guys.

Nenad · Thu May 24, 2018 4:29 pm

This is great news, but why have I had to dig this info out from the forum? Why isn't this statement on the Mikrotik home page, somewhere in the news section?

R1CH · Thu May 24, 2018 4:40 pm

How do you know for sure it was the www exploit that was used instead of for example the more recent winbox exploit?

martinm · Thu May 24, 2018 4:43 pm

Hi, after the the linked news/thread back in March (viewtopic.php?f=21&t=132499) I checked patch levels - or at least thought I had.

On rechecking with the latest set of news today, it became clear to me that I've been applying upgrades incorrectly for a long time - I have only been upgrading the RouterOS packages (bang up to date now, and never far behind), not the Routerboard firmware, which was really old (3.x).

1/ Would this partial upgrade have potentially left me open to this attack? I'm hoping not, and that the firmware is basically just a bootloader.

2/ Particularly if the answer to the above is 'yes', it would be great to have reassurance that upgrading the firmware (which I have now done) as well as the packages would definitely clear the malware. I know Mikrotik has said 'yes' to this before. However, it would be good to have confirmation that - as far as Mikrotik is aware - the malware has not evolved the ability to protect itself against removal, given that we appear to be talking about a state actor that has had since March to develop this defence.

3/ (Unrelated to this thread, really) What level of general exposure would I have had from not updating firmware over a long period of time?

I have had a pretty restrictive set of firewall rules applied - there should be no access from the Internet for anything except L2TP VPN connections. Hopefully that would have mitigated the attack on its own. But it would be great to have an answer to 1/ that would apply even if I had made a mistake in those firewall rules, as it appears I'm incapable of applying an update

Cheers,

Martin

Thu May 24, 2018 5:01 pm

Exploit was in RouterOS, so if you upgraded only RouterOS and left old bootloader you are safe.

martinm · Thu May 24, 2018 5:06 pm

Thanks mrz for the fast reply.

anav · Thu May 24, 2018 5:12 pm

Thanks for the update and the reminder (link) to the good security practices page!

Thu May 24, 2018 5:21 pm

.....Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. ....

Isn't strange that all these news inform that many devices are volunerable but CISCO ones are free from the problem?

investigating the malware, which targets devices from Linksys, MikroTik, Netgear, TP-Link and QNAP, advising users to install security updates. .... Cisco Systems, which has been investigating the threat for several months....

For me it seems to be some kind of "gray PR" (gray means that I do not want use the "black" word yet) but it resambles a little the "Volkswagengate" in the USA.

anav · Thu May 24, 2018 5:35 pm

BartosP are you working for juniper ;-P
CISCO has their own issues, they are not virginal.
https://www.bankinfosecurity.com/200000 ... ed-a-10788
https://www.scmagazine.com/cisco-patche ... le/740572/
https://www.fliegerfaust.com/cyber-atta ... 49185.html

Modestas · Thu May 24, 2018 6:03 pm

BartosP are you working for juniper ;-P

Nokia-Alcatel-Lucent has strong presence in Poland with numerous competence centers, Juniper perhaps doesn't

Anyway, it's great to see prompt statement and clarification from Mikrotik on this threat.
I wonder if Mikrotik offers some mailing list for customers to receive alerts on security issues, detected vulnerabilities and remedies/corrections.

anav · Thu May 24, 2018 6:33 pm

BartosP are you working for juniper ;-P
Nokia-Alcatel-Lucent has strong presence in Poland with numerous competence centers, Juniper perhaps doesn't

You mean Roland or PPoland They are on the slippery slope of being pwned by he who shall not be named!! No happy face! - makes me sad.

Thu May 24, 2018 8:47 pm

.... in Poland ....
You mean Roland or PPoland ...

Anav ... problems with reading? What do you want to be explained more?

P like Planet
O like On Networks
L like Lucent
A like Alcatel
N like Nokia
D like D-Link

TomjNorthIdaho · Thu May 24, 2018 9:19 pm

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
And note - I have the following /ip/service in my configuration:
/ip service
set telnet address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks))) disabled=yes
set ftp address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set www address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set ssh address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks))) disabled=yes
set www-ssl address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set api address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set winbox address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set api-ssl address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))

11:00:33 warning denied winbox/dude connect from 213.57.88.215
11:00:39 warning denied winbox/dude connect from 168.194.108.144
11:00:47 warning denied winbox/dude connect from 94.230.25.2
11:00:51 warning denied winbox/dude connect from 213.177.66.226
11:00:52 warning denied winbox/dude connect from 43.229.63.228
11:00:53 warning denied winbox/dude connect from 198.233.88.218
11:01:00 warning denied winbox/dude connect from 191.6.164.82
11:01:01 warning denied winbox/dude connect from 191.6.164.154
11:01:03 warning denied winbox/dude connect from 213.57.88.215
11:01:05 warning denied winbox/dude connect from 94.230.25.2
11:01:16 warning denied winbox/dude connect from 119.18.39.159
11:01:17 warning denied winbox/dude connect from 94.230.25.2
11:01:21 warning denied winbox/dude connect from 213.177.66.226
11:01:27 warning denied winbox/dude connect from 94.142.173.34
11:01:33 warning denied winbox/dude connect from 213.57.88.215
11:01:48 warning denied winbox/dude connect from 94.230.25.2
11:01:57 warning denied winbox/dude connect from 213.57.88.215
11:01:58 warning denied winbox/dude connect from 168.194.108.144
11:02:01 warning denied winbox/dude connect from 191.6.164.82
11:02:01 warning denied winbox/dude connect from 191.6.164.154
11:02:03 warning denied winbox/dude connect from 213.57.88.215
11:02:08 warning denied winbox/dude connect from 198.233.88.218
11:02:13 warning denied winbox/dude connect from 119.18.39.159
11:02:17 warning denied winbox/dude connect from 94.230.25.2
11:02:21 warning denied winbox/dude connect from 213.177.66.226
11:02:22 warning denied winbox/dude connect from 43.229.63.228
11:02:33 warning denied winbox/dude connect from 213.57.88.215
11:02:44 warning denied winbox/dude connect from 94.142.173.34
11:02:46 warning denied winbox/dude connect from 119.18.39.159
11:02:51 warning denied winbox/dude connect from 213.177.66.226
11:03:01 warning denied winbox/dude connect from 191.6.164.82
11:03:02 warning denied winbox/dude connect from 191.6.164.154
11:03:03 warning denied winbox/dude connect from 94.230.25.2
11:03:03 warning denied winbox/dude connect from 213.57.88.215
11:03:17 warning denied winbox/dude connect from 119.18.39.159
11:03:21 warning denied winbox/dude connect from 213.57.88.215
11:03:24 warning denied winbox/dude connect from 94.230.25.2
11:03:24 warning denied winbox/dude connect from 168.194.108.144

Or - is this a log from my btest fw rules which auto-blocks lengthy btest connections then later auto-removes them. I do see some of the above IP address in my fw Connections list (which are auto added & auto removed an hour later).

North Idaho Tom Jones

Sofa · Thu May 24, 2018 9:28 pm

Good evening, I have a hAP ac lite 6.38.4 or 6.38.5 router I do not remember exactly, Firware 3.27, now updated to the latest version (6.42.2, Firware 6.42.2)
The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?

anav · Thu May 24, 2018 9:46 pm

Bartoz, email me as that is a separate discussion.................

anuser · Thu May 24, 2018 11:19 pm

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?

That´s a fraud/fake call, google for that one that wants you to pay him.

jebz · Fri May 25, 2018 2:26 am

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

Or - is this a log from my btest fw rules which auto-blocks lengthy btest connections then later auto-removes them. I do see some of the above IP address in my fw Connections list (which are auto added & auto removed an hour later).
North Idaho Tom Jones

.
In Dude you can add your server to a map and this makes it very easy to choose when you do a bandwidth test. When on a Dude map I think it then probes your server, but not with malicious intent. So you'll see bandwidth tests and attempted winbox/dude connections from the same host.

macsrwe · Fri May 25, 2018 7:44 am

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
. . .

North Idaho Tom Jones

Tom, let me apologize. I defined your btest server as a host in my local DNS, and gave it a box in my dude configuration, so I could more easily run infrequent tests when needed without having to remember all your IP information. Apparently, this causes grief in your log, because my IP is one of the ones you listed. Also apparently, a whole lot of other MikroTik admins have done the same thing I did, and they are generating all the other IP addresses. In order to run MikroTik speed tests, I had to tell the Dude that you were a MikroTik device, and it looks like that causes it to bother you with Dude queries.

Sofa · Fri May 25, 2018 2:19 pm

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
That´s a fraud/fake call, google for that one that wants you to pay him.

The fact is that it was the police and they did not demand money from me, the provider gave them to them because the IP address is reserved for the director

squeeze · Fri May 25, 2018 4:28 pm

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
That´s a fraud/fake call, google for that one that wants you to pay him.
The fact is that it was the police and they did not demand money from me, the provider gave them to them because the IP address is reserved for the director

Your writing is difficult to understand. Do not give property or access to property to anyone, even the police. They have to have a legal warrant from your country's court system and that would have been sent to company officers, so it would be company officer telling you to do anything.

Direct all formal communications with third parties to management and Directors responsible in your company. Third parties have no business telling employees to do anything.

Factory reset your router using the reset button, then upgrade to the latest firmware. Done. When security is an issue, this is always the correct procedure on any networking device. The only thing that changes is the timing (some may be expert enough to do forensic analysis first).

Fri May 25, 2018 4:31 pm

I read his post differently. It seems some local cyber crime agency called him and told him that there is suspicious activity coming from his router. They suggested him to upgrade his router.

Well ...

1. Upgrade or reinstall
2. Protect it properly, as you should have done a long time ago: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
3. Make sure that the virus is not actually in your LAN, for outside observer this might look like coming from the router, but may be in a Windows computer inside your network

TomjNorthIdaho · Fri May 25, 2018 6:35 pm

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
. . .

North Idaho Tom Jones
Tom, let me apologize. I defined your btest server as a host in my local DNS, and gave it a box in my dude configuration, so I could more easily run infrequent tests when needed without having to remember all your IP information. Apparently, this causes grief in your log, because my IP is one of the ones you listed. Also apparently, a whole lot of other MikroTik admins have done the same thing I did, and they are generating all the other IP addresses. In order to run MikroTik speed tests, I had to tell the Dude that you were a MikroTik device, and it looks like that causes it to bother you with Dude queries.

If it's not an attack , then I am OK with it.
I don't run Dude and I did not know if this was something I should be taking action on.
Thanks for your reply
For me - a good thing is , that if somebody was able to gain control of this 207.32.194.24 btest server , that this server is 100 percent outside of my business ISP/WISP networks.
North Idaho Tom Jones

intermod · Fri May 25, 2018 7:26 pm

As the hack could have been sniffing traffic, our other systems may be at risk. So we don't have to audit all of our other systems now, how can we tell whether our particular device was compromised? This is very important. This could be extremely costly for our organization.

desertadmin · Sun May 27, 2018 11:34 pm

Just added the Talos IPs to prevent further spread. Pretty scary how it infiltrates a busy box based OS.

Thank you Mikrotik for patching this so quickly. In addition I added the following IPs to my Drop DDOS list. This is not a DDOS but any suspicious traffic I get I place it on this filter.

So modify how you like but this is the list of known IPs that needed to be blocked to prevent the stage 2 of this VPNfilter attack.

/ip firewall address-list
add address=91.121.109.209 comment="TALOS" list=DROPDDOS
add address=217.12.202.40 comment="TALOS" list=DROPDDOS
add address=94.242.222.68 comment="TALOS" list=DROPDDOS
add address=82.118.242.124 comment="TALOS" list=DROPDDOS
add address=46.151.209.33 comment="TALOS" list=DROPDDOS
add address=217.79.179.14 comment="TALOS" list=DROPDDOS
add address=91.214.203.144 comment="TALOS" list=DROPDDOS
add address=95.211.198.231 comment="TALOS" list=DROPDDOS
add address=195.154.180.60 comment="TALOS" list=DROPDDOS
add address=5.149.250.13.76 comment="TALOS" list=DROPDDOS
add address=91.200.13.76 comment="TALOS" list=DROPDDOS
add address=94.185.80.82 comment="TALOS" list=DROPDDOS
add address=62.210.180.229 comment="TALOS" list=DROPDDOS

Hope this helps out.

Sincerely,
DesertAdmin

doctorrock · Mon May 28, 2018 10:59 pm

Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html

Deantwo · Tue May 29, 2018 10:54 am

Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html

Funny how it says that it is hard to defend against it because it is hard to upgrade router firmware on the devices.
I am quite happy with how extremely easy it is to upgrade RouterOS on a MikroTik device.

According to what I have read about all this, it seems that all the recent attacks rely on the "webfig" vulnerability in the <6.38.5 versions of RouterOS.
But I guess Talos isn't going to promote the MikroTik brand by saying that upgrading their devices is super easy to do.

The amount of "Cisco devices are safe thanks to X and..." at the end of the article makes me feel a little confused though.
Why do they need all those fancy sounding features? Just freaking setup a reasonable firewall/ACL and protect your devices like everyone else.

ssbaksa · Tue May 29, 2018 2:25 pm

Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html

Nice article but ...

" Mikrotik RouterOS Versions for Cloud Core Routers:
1016
1036
1072
"
Dosn't mean a thing. They are mention router hardware version, not RouterOS versions which are important in this case.

naskoblg · Tue May 29, 2018 8:20 pm

Please read this article:
http://linkcom.lviv.ua/%D1%83%D0%B2%D0%B0%D0%B3%D0%B0/
https://www.facenews.ua/news/2018/407644/

They are stating that all versions prior 6.42.1 are vulnerable.

jerryroy1 · Tue May 29, 2018 8:50 pm

Can we confirm the RouterOS versions please?

We have 5.26 on hundreds of 750GL's. Is it a firmware issue or an RouterOS issue? It does not seem clear from this thread.

Also, what about GR2 and GR3/Hex? What versions are invulnerable?

Thanks,

Jerry

jmay · Wed May 30, 2018 12:53 am

I have never used webfig for my routers. Winbox only and I only allow specific IP's that access. I should be fine yeah? Most of my routers are currently at 6.41.

Wed May 30, 2018 9:08 am

As stated before. All RouterOS devices were affected under following conditions:

1) Webfig was open on untrusted networks (default firewall protects you, so this applies if you manually configured the firewall or removed the default);
2) You had an older RouterOS version, before these releases:

Current release chain:
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;
And also Bugfix release chain:
What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;

What to do:

1) Upgrade RouterOS
2) Change your password
3) Configure firewall and other security measures according to this guide: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

NEVER LEAVE YOUR DEVICE OPEN TO THE INTERNET, WITHOUT SPECIFIC FIREWALL ACCESS RULES

Wed May 30, 2018 9:09 am

Please read this article:
http://linkcom.lviv.ua/%D1%83%D0%B2%D0%B0%D0%B3%D0%B0/
https://www.facenews.ua/news/2018/407644/

They are stating that all versions prior 6.42.1 are vulnerable.

Thats not correct.

JimmyNyholm · Wed May 30, 2018 11:56 am

Thanks for the prompt response Normis.

I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?
Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vunlerability that was fixed in march 2017 was only affecting you, if the www port 80 (webfig) was open to untrusted networks.

Firewall will as allways disable fastpath in your system. Setting source ip's allowed on the service is more direct lo level approach witch does not disable fastpath.

jerryroy1 · Wed May 30, 2018 7:35 pm

Hi Normis,

I still do not have a reply regarding 5.26 on R750GL, can you comment?

Best regards.

ludvik · Wed May 30, 2018 8:55 pm

Firewall will as allways disable fastpath in your system. Setting source ip's allowed on the service is more direct lo level approach witch does not disable fastpath.

Unfortunately, the DNS server does not allow restrictions using ip / services.

Chupaka · Wed May 30, 2018 9:21 pm

What's faster:
- no fastpath and IP firewall rule for blocking DNS;
or
- bridge interface, ipv4 fastpath and bridge filter rule for blocking access?

Thu May 31, 2018 8:30 am

Hi Normis,

I still do not have a reply regarding 5.26 on R750GL, can you comment?

Best regards.

I did reply that your version is below the one with the fix. If you have an exposed webfig interface to untrusted network, UPGRADE IMMEDIATELY

indimouse · Thu May 31, 2018 1:36 pm

Good afternoon!
A few thoughts about this problem.
We also suffered an attack, lost more than 50 routers, and many had a firmware version of 6.42.2.
Access to the router is preserved, but the user admin has read-only privileges. In this case, a new root user appears in the system.
Analysis of the situation showed that it is not possible to restore the router through a netinstall, because the protected-routerboot option is enabled. To flash the equipment, you need to see the time set in the field of the reformat hold button, then we fix the reset button for this period of time and supply power to the router. Through the terminal (console cable), we confirm the formatting of the flash. Further through netinstall we restore the firmware. We go to winbox and restore from backup.

Thu May 31, 2018 5:02 pm

You describe a different attack vector. We have seen this before. It was a brute-force password guess attack to the FTP (If I remember correctly). This is not a vulnerability. Simply limit access to the device services from unknown networks.

If you have read only access with Winbox, you can see the "reformat hold time" setting, then you can wipe the device and reconfigure it. Follow manual about protected RouterBOARD on how to use the button to wipe all config: https://wiki.mikrotik.com/wiki/Manual:R ... bootloader

Who is online