“Let me emphasize how bad this attack is.” The attacker thought wisely, rather than infecting small websites with a few visitors, or finding sophisticated ways to run malware on end-user computers, would go directly to the carrier-class router source.
The current CVE-2018-14847 vulnerability is different from the major vulnerability first reported in March 2018. The security issue, which was reported extensively in the media, was called “VPNFilter”. It could allow any attacker to take control of a vulnerable Mikrotik router. Mikrotik fixed this vulnerability in March 2017.
The current vulnerability was barely registered by the press and has profound implications for all interested microtome operators. Because of this, hackers have taken control of more than 200,000 routers and are actively injecting mining malware, packet scanners, etc. Unlike the VPNFilter lagoon, the reboot does not allow the attacker to get rid of the router.
Despite the warnings of many security researchers, none of the domains used by the attackers were reported or blocked by the primary providers. As VriesHd said.
To eliminate the hacker from the router, all interested Mikrotik router operators must cleanly update the Mikrotik firmware to the latest version (6.43) and use the latest Winbox Control Panel (3.18).