Using a known vulnerability, the threat actor is listening to a variety of ports.
A full 7,500+ MikroTik routers are forwarding their owners’ traffic to eavesdropping cybercriminals – while 239,000 more have had their Socks4 proxy enabled, maliciously and surreptitiously. This means the bad actors can gain access to any of the files or data being passed by the router to and from corporate networks.
According to security researchers at 360 Netlab, adversaries are exploiting the known MikroTik CVE-2018-14847 vulnerability in Winbox, which is a management component and a Windows GUI application for MikroTik’s RouterOS software. RouterOS powers the business-grade RouterBOARD brand, as well as ISP/carrier-grade gear from the vendor.
The flaw is a Winbox Any Directory File that allows bad actors to read files that flow through the router without authentication; while MikroTik patched it in early August, many users have yet to update, leaving a large attack surface open.
In fact, as of August 24, the 360 Netlab honeypot network had picked up on more than 5 million devices with an open TCP/8291 port worldwide, of which 1.2 million are MikroTik devices. Out of those, about 31 percent, or 370,000, are vulnerable to the flaw.
“The MikroTik RouterOS device allows users to capture packets on the router and forward the captured network traffic to the specified Stream server,” the researchers explained, in a post on Tuesday, adding that attackers are listening to ports 20, 21, 25, 110 and 143, corresponding to FTP-data, FTP, SMTP, POP3 and IMAP traffic. Also, oddly, snmp port 161 and 162 are also under surveillance.
“This deserves some questions,” the researchers pointed out. “Why are the attackers paying attention to the network management protocol regular users barely use? Are they trying to monitor and capture some special users’ network snmp community strings? We don’t have an answer at this point, but we would be very interested to know what the answer might be.”
Most of the 7,500 victims are in Russia, the firm found; and in terms of the collecting IP addresses, 22.214.171.124 is the top player among all the attackers.
As for the Socks4 proxy enablement, researchers found that a single malicious actor is behind that campaign – and that the motive remains to be seen.
“The Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block 126.96.36.199/25,” the researchers explained. “In order for the attacker to gain control even after device reboot ([an] IPchange), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL.”
The attacker also uses compromised Socks4 proxies to scan more MikroTik RouterOS devices for vulnerabilities.
“It is hard to say what the attacker is up to with these many Sock4 proxies, but we think this is something significant,” the researchers added.
The situation is once again a wake-up call to patching. MikroTik RouterOS users should update their software, and check whether the HTTP proxy, Socks4 proxy or network traffic-capture function are being maliciously exploited.
A similar situation arose in August when tens of thousands of MikroTik routers were found to have been compromised, with the actors embedding the Coinhive cryptomining scripts into websites using a known vulnerability.
“This [latest] report clearly shows that scraping for pennies with Coinhive is not the worst-case scenario that miscreants can do with these compromised MikroTik routers,” Mursch told Threatpost.