A Mysterious Russian Grey Hat Vigilante has patched over 100,000 routers
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)

A Mysterious Russian Grey Hat Vigilante has patched over 100,000 routers

Hacking to help – and not everyone appreciates it.

In the interest of keeping things light on a Friday, let’s turn our attention to a fascinating story that was first reported on by ZDNet’s Catalin Cimpanu: a Russian-speaking grey-hat hacker has been breaking into people’s MikroTik routers and patching them so they won’t be exploited by crypto-miners and other kind of digital ne’er-do-wells.

On a Russian blog site, the Russian-speaking Grey Hat, Alexey, boasted that he had already patched over 100,000 MikroTik routers.

“I added firewall rules that blocked access to the router from outside the local network,” Alexey wrote. “In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.”

Unfortunately, the response has been tepid at best. About 50 people have contacted Alexey, a few to say thank you but most of them were angry at the invasion.

There’s a little bit to unpack here about Hacker hats, the MikroTik vulnerability and the ethics of this kind of activity.

So, let’s hash it out.

What is a Grey Hat Hacker?

When discussing colored hats, there are three that relate to hackers and one that relates to the US president. We’re going to focus on the first three.

A Mysterious Russian Grey-Hat Vigilante has patched over 100,000 routersA White hat hacker is an ethical hacker, typically you see White hats in the context of penetration testing, where they’re looking to break a system or application in order to better secure it. They are indeed hacking, but they’re doing it for ethical reasons. And they typically have authorization to do what they’re doing.

A Black hat hacker is on the opposite end of the spectrum, they have malicious intent and are looking to break into and exploit vulnerable systems. Pretty much every major hack that you see in the news is as a result of state-backed hackers or black hat hackers. Depending on who you talk to, those can actually be one in the same, but there is a distinction to be made between a group like Fancy Bear, which is acting maliciously on behalf of a government and a group like Magecart that is acting maliciously in their own self-interest.

So, let’s talk about Grey hats. A grey hat hacker lives somewhere in the middle. Generally speaking, they are breaking laws and violating ethics, but their intent isn’t malicious. A good example would be our friend Alexey, who is hacking into MikroTik routers to patch them. It’s a net-positive, but there are some ethical questions created by that kind of conduct. We’ll address that later.

What was wrong with MikroTik routers?

It’s been a bad year for routers in general, but MikroTik specifically had an issue last April (CVE-2018-14847) that allowed attackers to bypass authentication and download the user database file, which can then be decrypted and harvested for usernames and passwords. This gives the attackers the ability to log into remote devices, jigger with OS settings and run scripts.

A Mysterious Russian Grey-Hat Vigilante has patched over 100,000 routersMikroTik, which is a Latvian-based company that specializes in routers and wireless ISP systems, released a patch almost immediately. But when was the last time you patched your router? Seriously.

Knowing full-well that most people wouldn’t install the update, cybercriminals have been having a field day ever since.

The majority of the exploits have involved crypto-jacking, but some attackers have also used the vulnerability to hijack DNS servers and redirect the traffic towards malicious websites.

MikroTik is one of the larger router manufacturers in the world with over 2,000,000 currently in use—so patching 100,000 of them is still only about 5%. However, only about 420,000 have given indications of infection.

One group that hasn’t had much luck with this exploit are botnet herders.

“The usual IoT blackhat botnet factory is basically clueless about the exploit, and how it can be deployed for a proper functioning botnet,” Ankit Anubhav, a security researcher for NewSky Security told ZDNet.

So maybe not every cybercriminal is having a field day.

Is this Ethical?

That’s the million-dollar question and it’s not one that is going to find a consensus anytime soon. Depending on your philosophy about the internet and technology in general, you may look at this as a necessary evil or a complete violation.

The reason that Alexey has been able to patch so many routers is that the black hat hackers attacking them are being sloppy.

“The attackers are not closing [device ports] or patching the devices, so anyone who wants to further mess with these routers, can,” Anubhav told ZDNet.

This kind of activity is nothing new, in fact Cimpanu even lists a number of notable grey-hat events.

  • A Mysterious Russian Grey-Hat Vigilante has patched over 100,000 routers2014 – A grey hat hacks thousands of Asus routers and planted text warnings about files that were left exposed and reminding users to patch.
  • 2015 – A group of grey hats, ironically called the White team, releases a piece of malware that closes security holes in several models of Linux routers.
  • 2017 – A grey hat releases a piece of malware that punishes people for not patching their IOT devices by either deleting firmware or bricking them.
  • 2017 – A grey hat makes over 150,000 printers print a message to their owners about the dangers of leaving your printer exposed online.
  • 2018 – Another grey hat renames thousands of MikroTik and Ubiquiti routers “HACKED” to scare their owners into updating them.

So is grey hat hacking ethical? Again, it depends on your outlook, but from the standpoint of legality, Alexey isn’t exactly abiding the law. It’s illegal to access someone else’s computer or devices without authorization. And while Eastern Europe and Russia may have a more relaxed attitude about this kind of activity, there are plenty of cases in the US where antiquated laws and overzealous prosecutors have thrown the book at someone for activity far more trivial than this. This is almost the equivalent of breaking into someone’s house to fix their deadbolts and alarm system. Thanks, but you broke into my house.

So, ethical? Maybe. Legal? Definitely not.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.