Over 7,500 MikroTik routers exploited by hackers to spy on users

• Cybercriminals exploited a known vulnerability in MikroTik routers to spy on user traffic.
• A majority of victims are from Russia followed by Brazil, Indonesia, India and Iran.

Threat actors are exploiting a known vulnerability in MikroTik routers to snoop on user traffic. The vulnerability is classified as CVE-2018-14847 and was found in Winbox and Webfig, which are Router operating system (OS) management components.

Exploiting the flaw, cybercriminals can read files that flow through the router without authentication. Although MikroTik released an update fixing the flaw in August, there are many routers that are still vulnerable to the flaw and have not been patched.

360 Netlab researchers, who discovered the attacks, stated that the vulnerability has affected more than 7,500 victims. The victims’ traffic is forwarded to IP addresses controlled by unidentified attackers. As of August 24, researchers detected over 5 million devices with an open TCP/8291 port, of which 1.2 million were MikroTik. Out of these 1.2 million, about 31 percent were vulnerable to the flaw.

“The MikroTik RouterOS device allows users to capture packets on the router and forward the captured network traffic to the specified Stream server,” said the researchers, adding that ports 20, 21, 25, 110 and 143 were mostly used by the hackers for eavesdropping.

Motive still unclear

"This deserve[s] some questions, why the attacker is paying attention to the network management protocol regular users barely use?” 360 Netlab researchers said. "Are they trying to monitor and capture some special users' network snmp community strings? We don't have an answer at this point, but we would be very interested to know what the answer might be."

A majority of victims are from Russia, however the hackers also spied on victims in Brazil, Indonesia, India and Iran. Following the discovery, one of the IP address, 103.193.137.211, used by the threat actors has been suspended.

In order to stay safe from the vulnerability, users have been urged to update the MikroTik Router OS in time.

“We recommend that MikroTik RouterOS users update the software system in a timely manner, and check whether the http proxy, Socks4 proxy and network traffic capture function are being maliciously exploited by attackers,” said 360 Netlab researchers.