Mikrotik Routers Compromised to Eavesdrop On Internet

A group of Mysterious hackers has been exploiting MikroTik routers to secretly eavesdrop on all the internet traffic going through them.

Security researchers at Qihoo 360’s Netlab have revealed that some mysterious hackers, who managed to hack over 7,500 vulnerable MikroTik routers around the globe, have been eavesdropping on and forwarding the internet traffic through these routers to a server under their control. The routers that have been hacked are located in dozens of countries, including Iran, Russia, the U.S, Brazil etc. The Netlab researchers feel that this threat could expand and include more countries and impact another 239,000 routers. (MikroTik is a Latvian company that develops routers and wireless ISP systems and was founded in 1996).

Cybersecurity researchers have been picking up malware that was found exploiting a vulnerability (CVE-2018-14847) in the MikroTik routers. A post on the Netlab blog says- “What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.”

The blog post further says, “More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.”

PCMag reports-“Routers in dozens of countries—including Russia, Iran, Brazil and the US—have all been ensnared in the eavesdropping scheme. However, Netlab is warning that the threat could expand since the hacker enabled the same data-forwarding protocol, called SOCKS4, in another 239,000 MikroTik routers. It isn’t clear for what purpose, but so far, the attacker appears to be harvesting FTP (File Transfer Protocol) data, in addition to messaging and email traffic over SMTP, POP3, and IMAP.”

The report further says- “Netlab researchers also noticed the scheme sniffing data related to a network management protocol that average consumers rarely use.”

This is explained in detail in the Netlab blog, which says- “At present, a total of 239K IPs are confirmed to have Socks4 proxy enabled maliciously. The Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block 95.154.216.128/25. In order for the attacker to gain control even after device reboot(ip change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL…The attacker also continues to scan more MikroTik RouterOS devices by using these compromised Socks4 proxy…At this point, all the 239K IPs only allow access from 95.154.216.128/25, actually mainly 95.154.216.167. It is hard to say what the attacker is up to with these many Sock4 proxies but we think this is something significant.”

MikroTik had released a fix for the issue in April, but unfortunately, almost 370,000 devices still remain unpatched, according to researchers. Reports also say that this seems to be the very same hacker or group who tried, in early August, to exploit the routers to run a cryptocurrency mining malware. That campaign had failed, most likely because of a configuration mistake.

However, researchers point out that the vulnerability in the MikroTik routers could also lead to hackers selling access to the compromised hackers on the digital black market.

The attack can be prevented if users of MikroTik RouterOS do a timely update of the software system; they should also check whether the HTTP proxy, Socks4 proxy and network traffic capture function are being maliciously exploited by hackers.