Help Me, Vulnerabilities. You're My Only Hope

Presented at DEF CON 27 (2019), Aug. 11, 2019, noon (45 minutes)

MikroTik routers keep getting owned. They've been exploited by advanced threats like VPNFilter, Slingshot APT, and Trickbot. They've been compromised by coin miners, botnets, and who knows what else. With each new campaign the security industry publishes new indicators of compromise and everyone moves on. However, MikroTik administrators operate in a sandbox. They have very limited access to the router's underlying file system and almost no ability to directly interact with the Linux operating system. Due to these limitations, file hashes cannot answer the fundamental question that is asked again and again on the MikroTik forums, "Have I been compromised?" It's time the users had their question answered. In this talk, I'll present three vulnerabilities that can help MikroTik administrators break out of the sandbox. I'll show how to use these vulnerabilities to help determine if the router has been compromised.

Presenters:

• Jacob Baines - Research Engineer, Tenable
  Jacob is the founding member of Tenable's Zero Day Research group. He focuses much of his research efforts on routers and other IoT devices. Sometimes he even finds vulnerabilities. Twitter: @junior_baines

Links:

• https://defcon.org/html/defcon-27/dc-27-speakers.html#Baines
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - Jacob Baines - Help Me Vulnerabilities Youre My Only Hope.mp4
• https://infocon.org/cons/DEF CON/DEF CON 27/DEF CON 27 video and slides/DEF CON 27 - Jacob Baines - Help Me Vulnerabilities Youre My Only Hope.srt (subtitles)
• https://www.youtube.com/watch?v=mST-9k6m3ug

Similar Presentations:

• VB2019 / Absolutely routed!! Why routers are the new bullseye in cyber attacks
• Still Hacking Anyway (SHA2017) / Rooting the MikroTik routers
• REcon 2022 / Pulling MikroTik into the Limelight: Demystifying and Jailbreaking RouterOS