If you’ve ever used a MikroTik router at home or work, you’ve probably heard about the recent discovery of a hacking campaign called ‘Slingshot,’ which planted spyware on computers in 11 different countries in Africa and the Middle East.
According to Wired, the campaign appears “…to have exploited routers’ position as a little-scrutinized foothold that can spread infections to sensitive computers within a network, allowing deeper access to spies.” Slingshot seems to exploit MikroTik’s ‘Winbox’ software.
What does this mean for your network?
While Slingshot appears to be a highly targeted campaign designed to reach only 100 targets, mostly in Kenya and Yemen, we wanted to make sure that our clients and customers here in North America knew how to protect themselves.
So we asked MikroTik. Here’s what they said:
This tool isn’t spreading itself.
Windows no longer downloads any DLL files from the device. If you run RouterOS 6.37 or newer, and are using Winbox v3. These releases have been out for more than a year, so make sure to upgrade your RouterOS and Winbox loader.
It’s unclear how the DLL file got into a MikroTik router in the first place. This is likely related to a previously-discovered vulnerability in the www service, which was patched in March 2017.
Please note: The only devices affected were only those which didn’t have the firewall configured.
Fixing Slingshot: A quick disclaimer
As MikroTik experts, we’ve been helping to ensure our clients are protected against Slingshot since news of it first hit the web. So we know what’s been working for us. However, we want to make it clear that our fixes, below, weren’t provided by MikroTik and hadn’t been officially endorsed by them.
Ensuring your network is fixed, Step 1: Firewall
Let’s assume because we are talking to MikroTik then MikroTik RouterOS is their focus, and MikroTik IP Firewall Filter rules need to be set up correctly.
There are two rules on how to secure a network using an edge router “MikroTik Router.
Secure the router itself.
When you sit in an airplane, they tell you to put the oxygen mask on yourself first, before you do anything else. Securing the router is the most important part of setting up a firewall.
/IP firewall filter
add action=accept chain=input comment=”allow new connections” connection-state=new in-interface=bridge-local
add action=accept chain=input comment=”allow established/related connections” connection-state=established,related
add action=drop chain=input log-prefix=i-drop
Secure the network “customers.”
To secure the customer, we need to know what types of services we’re hosting in the local network, how that network is designed, and the identity of the trusted customer.
There can be other variables involved, but the rules below would be enough to secure a small basic network.
add action=accept chain=forward comment=”allow new connections” connection-state=new in-interface=bridge-local
add action=accept chain=forward comment=”allow related/established connections” connection-state=established,related
add action=drop chain=forward comment=”drop invalid connections” connection-nat-state=!dstnat connection-state=invalid
add action=drop chain=forward comment=”deop anything else” connection-nat-state=!dstnat
Ensuring your network is fixed, Step 2: Use WINBOX 3.x+
MikroTik’s WINBOX software was often installed on PCs or on MAC devices using ‘Wine Bottler‘. However, WINBOX has a couple of vulnerability issues – experienced MikroTik network practitioners have long known about these.
When you use unsecured MikroTik WINBOX software, and there is a weak firewall setup on the PC where WINBOX is used, a bad actor can use the WINBOX export file to access all network data. Generally speaking, this only happens when the network manager forgot to use WINBOX secure and set up a password for the saved routers. It may also occur if there is a weak password on the PC where WINBOX is installed.
The old WINBOX software – which appears to be what the hackers used in the case of Slingshot – couldn’t be password-secured. However, as of WINBOX version 3.0, you can set up a password. And it should be the second thing you do, right after setting up the firewall.
Wondering if your network is secure?
As we said, this particular campaign is unlikely to affect MikroTik RouterOS users here in North America. But that doesn’t mean you shouldn’t make sure your network is secure. If you have any questions or think it makes sense to have an expert look at your network, don’t hesitate to get in touch. We’ll be happy to help.