Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

VPN

// // //
9/6/2018
08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

Attackers Snoop on MikroTik Router Traffic

Researchers at Qihoo 360 Netlab report that unknown attackers have eavesdropped on the traffic of thousands of MikroTik routers.

Over 7,400 MikroTik routers have had their traffic eavesdropped on by unknown attackers, according to security researchers at Qihoo 360 Netlab.

They say that they found the most affected routers in Russia (1,628), followed by Iran (637), Brazil (615), India (594) and Ukraine (544). The researchers also say that they have seen a "massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor."

The attackers are using Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability, even though CVE-2018-14847 has been patched since April. Both are part of the Vault7-originated hacking tool Chimay Red.

This has allowed the MikroTik TZSP (TaZmen Sniffer Protocol) traffic to be forwarded to nine external IP addresses.

The researchers found that the attackers focused on ports 20, 21, 25, 110 and 144 (which are involved in FTP-data) FTP, SMTP, POP3 and IMAP traffic. They also seem interested in SNMP (Simple Network Management Protocol) ports 161 and 162.

However, the attacker seems to have made some rookie mistakes. First, the HTTP proxy forwards requests to a local HTTP 403 error page, and in this error page a link for web-mining code from coinhive.com is inserted. This would indicate they are looking to conduct cryptocurrency mining on all the proxy traffic of the routers.

Couleur via Pixabay
Couleur via Pixabay

But all the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs, which have been set by the attackers themselves. Whether this was an intentional move or the result of error is unclear.

Additionally, for the attacker to gain control, even after device reboot (which means an IP change), the infected device runs a scheduled task to periodically report its latest IP address by accessing a specific attacker's URL. This gives the attacker the relevant information needed to identify their victims once again.

The attacker will also scan for more MikroTik devices to infect by using these compromised Socks4 proxies, so the persistence has a purpose beyond just extending itself.

The researchers say that they are not comfortable in sharing the IPs involved in this problem with the public, but "relevant security entities in affected countries" are welcome to contact them for the full IP list from their findings.

But the researchers did say that "37.1.207.114 is the top player among all the attackers."

The researchers recommend that MikroTik RouterOS users update the software system and check whether the http proxy, Socks4 proxy and network-traffic-capture function are being maliciously exploited.

They also recommend that MikroTik deny inbound access to the Webfig and Winbox ports from the Internet and improve the software-security-update mechanism.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-45786
PUBLISHED: 2023-02-04
There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition ...
CVE-2023-22849
PUBLISHED: 2023-02-04
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling Ap...
CVE-2023-25193
PUBLISHED: 2023-02-04
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
CVE-2023-0676
PUBLISHED: 2023-02-04
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.
CVE-2023-0677
PUBLISHED: 2023-02-04
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1.