We recently observed a concerning incident involving a threat group specializing in exploiting vulnerable Mikrotik routers running outdated RouterOS. Within just twenty minutes of provisioning and bringing a router online, we detected the group attempting to brute-force access via Telnet.

While we noted instances of SSH brute-forcing, the attackers ultimately gained access through the API login. Once inside, they exhibited malicious behavior, including modifying the router's configuration to ensure persistent access and altering group permissions.

To mitigate these risks, we strongly recommend that service providers update any routers running outdated versions of RouterOS. Below, we provide additional Indicators of Compromise (IOCs) related to this incident to assist in identifying potential threats.

Indicators of Compromise

103.102.230[.]133

Looking at the activities that was grab via log. There is a possible sign of maliciousness in them, and would recommend the router should be flushed and reset to ensure any element of persistence will be removed.

The best option is to upgrade the OS of the router to the latest update as the 6.46.6 version (known to be vulnerable to several weakness that have been exploited in the past) was from 2020, and the latest software is now 7.15.1