A research done by China’s Netlab 360 revealed thousands of routers manufactured by the Latvian company MikroTik to be compromised by a malware attacking the Winbox, a Windows GUI application. This vulnerability allows gaining access to an unsecured router.
The Winbox vulnerability was revealed in April this year and MicroTik had also posted a software update for the same. However, researchers found that more than 370,000 MikroTik devices they identified on the Internet were still vulnerable.
According to a report by Netlab 360’s Genshen Ye, “More than 7,500 of them are actively being spied on by attackers, who are actively forwarding full captures of their network traffic to a number of remote servers. Additionally, 239,000 of the devices have been turned into SOCKS 4 proxies accessible from a single, small Internet address block.”
Prior to the MicroTik attack, WikiLeaks revealed a vulnerability from the CIA’s ‘Vault7’ toolkit. According to WikiLeaks, the CIA Vault7 hacking tool Chimay Red involves 2 exploits, including Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.
Attacks discovered on the MicroTik routers
Previously, researchers at Trustwave also had discovered two malware campaigns against MikroTik routers based on an exploit reverse-engineered from a tool in the Vault7 leak.
#1 Attack targeting routers with CoinHive Malware
However, in routers affected by this type of malware found by the Netlab 360 team, all the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs (access control lists) set by attackers themselves.
#2 Attack that turns affected routers into a malicious proxy network
The other attack, discovered by the Netlab 360 team, has turned affected routers into a malicious proxy network. This was done by using the SOCKS4 protocol over a very non-standard TCP port (4153). Ye said that “Very interestingly, the Socks4 proxy config only allows access from one single net-block, 126.96.36.199/25.” Most of the traffic is said to be going to 188.8.131.52, an address associated with a hosting service in the United Kingdom.
This attack includes the addition of a scheduled task to report the router’s IP address back to the attacker to help maintain the persistence of the SOCKS proxy if the router is rebooted.
Eavesdropping on routers
NetLab 360 researchers also discovered that more than 7,500+ victims are being actively eavesdropped and were largely streaming network traffic. This includes FTP and emails focused traffic, as well as some traffic associated with network management. Majority of the streams, almost 5,164 of them, were being sent to an address associated with an ISP in Belize.
Attackers have leveraged MikroTik’s built-in packet-sniffing capabilities for eavesdropping over the network. Here, the sniffer, which uses the TZSP protocol, can send a stream of packets to a remote system using Wireshark or other packet capture tools.
To know more about this news in detail, visit the Netlab 360 blog.