Mikrotik routers pwned en masse, send network data to mysterious box

Researchers uncover botnet malware pouncing on security holes

More than 7,500 Mikrotik routers have been compromised with malware that logs and transmits network traffic data to an unknown control server.

This is according to researchers from 360 Netlab, who found the routers had all been taken over via an exploit for CVE-2018-14847, a vulnerability first disclosed in the Vault7 data dump of supposed CIA hacking tools.

Since mid-July, Netlab said, attackers have looked to exploit the flaw and enlist routers to do things like force connected machines to mine cryptocurrency, and, in this case, forward their details on traffic packets to a remote server.

“At present, a total of 7,500 MikroTik RouterOS device IPs have been compromised by the attacker and their TZSP traffic is being forwarded to some collecting IP addresses,” the researchers explained.

The infection does not appear to be targeting any specific region, as the hacked devices reside across five different continents with Russia, Brazil, and Indonesia being the most commonly impacted.

The researchers noted that the malware is also resilient to reboots, leaving a firmware update as the only permanent solution to the problem.

Coal miners

MikroTik routers grab their pickaxes, descend into the crypto mines

READ MORE

“In order for the attacker to gain control even after device reboot(ip change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker's URL,” Netlab wrote.

“The attacker also continues to scan more MikroTik RouterOS devices by using these compromised Socks4 proxy."

360 Netlab said it does not know what the ultimate aim of the attacker will be. They note, however, that the controller oddly seems to be interested in collecting traffic from the relatively obscure SNMP ports 161 and 162.

“This deserves some questions, why the attacker is paying attention to the network management protocol regular users barely use? Are they trying to monitor and capture some special users’ network snmp community strings?” 360 Netlab asked.

“We don’t have an answer at this point, but we would be very interested to know what the answer might be.” ®




Biting the hand that feeds IT © 1998–2018