7,500 MikroTik routers compromised, traffic forwarded to attackers

Attackers have exploited a flaw in thousands of unpatched MikroTik routers, sending traffic to unknown attacker-controlled IPs.

If you have a MikroTik router, make sure it is running the latest firmware, as security researchers discovered thousands of compromised MikroTik routers are sending traffic to nine attacker-controlled IPs.

Via a honeypot since July, researchers from the China-based Netlab 360 noticed malware exploiting MikroTik routers. Attackers are exploiting the MikroTik CVE-2018-14847 flaw that was patched in April.

The critical vulnerability, involving Winbox for MikroTik, “allows remote attackers to bypass authentication and read arbitrary files.” Proof-of-concept exploits have been around for several months. That same vulnerability, the researchers pointed out, was exploited by the CIA’s hacking tool Chimay Red, according to WikiLeaks Vault7.

Some router owners might have patched within the last month to avoid becoming infected with cryptocurrency malware, as security researchers found several Coinhive cryptojacking campaigns aimed at thousands of MikroTik routers.

Those who still didn’t patch should take note of Netlab 360’s post, which warned “that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.” They added, “7.5k MikroTik RouterOS device IPs have been compromised by the attacker and their TZSP (TaZmen Sniffer Protocol) traffic is being forwarded to some collecting IP addresses.”

The researchers gave a list of the attackers’ top nine IP addresses, as well as a list of 20 ports being eavesdropped. Of the attackers’ IP addresses, “37.1.207.114 is the top player among all the attackers.” Of the compromised routers, 5,164 devices have their traffic going to this destination.

The top five ports being eavesdropped are: 5,837 aimed at port 21 (FTP), 5,832 targeting port 143 (IMAP), 5,784 aimed at port 110 (POP3), 4,165 eavesdropping over port 20 (FTP) and 2,850 targeting port 25 (SMTP). The researchers didn’t understand why the attackers were interested in SNMP ports 161 and 162, as the network management protocol is something “regular users barely use,” but they are interested in finding out the answer.

Top 10 countries with compromised MikroTik routers

Victims come from 40 countries, but the top 10 countries with compromised MikroTik routers are:

  • 1,628 in Russia
  • 637 in Iran
  • 615 in Brazil
  • 594 in India
  • 544 in Ukraine
  • 375 in Bangladesh
  • 364 in Indonesia
  • 218 in Ecuador
  • 191 in the U.S.
  • 189 in Argentina

Although the researchers would not make the victims’ IPs public, they said “relevant security entities in affected countries” could contact them for a full list of infected IPs in their country.

Additionally, the researchers discovered that a large number of IPs have Socks4 proxy enabled maliciously. They wrote, “The Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block 95.154.216.128/25. In order for the attacker to gain control even after device reboot (IP change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker's URL.”

They added, “At this point, all the 239K IPs only allow access from 95.154.216.128/25, actually mainly 95.154.216.167. It is hard to say what the attacker is up to with these many Sock4 proxies, but we think this is something significant.”

Netlab 360 recommended keeping MikroTik RouterOS updated and checking “whether the HTTP proxy, Socks4 proxy and network traffic capture function are being maliciously exploited by attackers. We recommend that MikroTik denies inbound access to the Webfig and Winbox ports from the Internet and improve the software security update mechanism.”

SUBSCRIBE! Get the best of CSO delivered to your email inbox.