Vigilante hacker breaks into routers to boost their security

The (anti)hero we need

Back in April, a zero-day vulnerability was reported for MikroTik browsers that allowed hackers to break in by downloading and decrypting users’ credentials (here’s a report on the vulnerability). Fortunately for MikroTik users, the company was praised across the cybersecurity community for releasing a patch in record time, sealing the vulnerability. Unfortunately for MikroTik users, most haven’t raised a finger to patch their routers.

As a result, these routers have been targeted by a wide array of hackers, each with their own goals. Some of them have been stealing users’ credentials. Others have conscripted the routers into their botnets to launch DDoS attacks. Yet others have turned the routers into crypto-currency miners, stealing computing power to make the hackers wealthier.

Enter Alexey, a Russian-speaking grey-hat hacker who’s been using completely illegal methods (exploiting the MikroTik vulnerability, in fact) in order to help make his victims more secure. He has boasted about his exploits in a Russian-language blog post and left notes inside routers he’s targeted.

For most of the routers he’s affected (and he claims to have affected over 100,000), his modus operandi is the same: he breaks in, removes the malware left there by previous hackers, patches the vulnerability, leaves a comment, and closes the port that accesses the vulnerability as he leaves. Here’s a quote of his from ZDNet:

“I added firewall rules that blocked access to the router from outside the local network,” Alexey said. “In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.”

Apparently, most of the people affected by his work were outraged rather than being grateful.

What this hacker is teaching us

There are important lessons to be learned from Alexey’s controversial work:

1. Vulnerabilities are a big deal. When vulnerabilities are reported, take note. Even if it impacts a small percentage of users or can only be used in specific cases, how can you be sure it doesn’t impact you with looking into the reports? These routers became hacker highways, with malicious black-hat hackers being followed by a grey-hat sleuth cleaning up after the messes they made.
2. Updates, updates, updates! Even in this case, when a significant vulnerability impacting many users was revealed, hundreds of thousands of users have still done nothing to patch their routers. MikroTik was even praised for the speed with which they responded! Updates aren’t released just for fun – they are made to fix security risks. Ignore them at your peril! Note: Some of the routers affected were hard-to-reach “edge routers,” which means they could have been located in places like underground cases or up on utility poles. In many cases, however, this meant that they should be administered by building authorities or ISPs, so they still should’ve been fixed!
3. Hackers can be nice sometimes. We’ve been using the terms black-hat and grey-hat in this article, and there are also white-hat hackers. Black-hats are hackers with nefarious and illegal intent, grey-hats perform ethically questionable work or good work using illegal methods, and white-hats are ethical, above-the-board hackers who work to make systems more secure. Alexey is a grey-hat, so although his work is helpful, he still has to hide behind a screen of anonymity – because what he’s doing is still illegal. Is any of this a reason not to secure yourself? Absolutely not!