Attackers have compromised thousands of MikroTik routers to create a botnet

Researchers from China's Netlab 360 have announced the detection of thousands of malware-infected routers, produced by the Latvian company MikroTik. The vulnerability, which is used by attackers, was discovered in April, and the company has already released a patch for a long time to fix the problem.

But thousands of routers remain vulnerable now, because nobody updates their firmware — many companies and ordinary private users simply do not pay attention to this aspect. As for the total number of routers, about 7.5 thousand devices were compromised (what the experts found). In general, the network still operates about 370,000 routers, the vulnerability in the software that has not yet been fixed.

Malefactors collect data of users of the cracked devices, redirecting the received information on the servers. By the way, about 239,000 routers were turned into SOCKS 4 proxies, which are easily accessible.

As for the company MikroTik, it provides wireless equipment and software for it, supplying systems for both business and individuals. Latvian company devices are actively used by large network service providers. Most of the devices from this manufacturer are physically located in Brazil and Russia. A lot of them in the United States.

By the way, the Chinese are not the first who paid attention to the problem with Mirotik routers - earlier representatives of Trustwave drew attention to the malware attack on these devices. Vulnerability in network device software became known after a Vault7 leak. Initially, attackers injected Coinhive JavaScrip onto an error page, embedded in a router, then all web requests were redirected to this page. But the developers of the first malware for routers made a mistake, and blocked access to external pages for requests that are already being executed using a hacked device.

Second attack detectedthe Netlab 360 team, turned hacked network devices into a malicious proxy network using the SOCKS4 protocol for a non-standard TCP port (4153). And access in this case is open only to devices from a very limited range of IP addresses, 95.154.216.128/25. Virtually all traffic was directed to 95.154.216.167, the address that is associated with the hosting service, which is located in the UK.

So far it is not clear what exactly the hacked rotoiers are used for. Perhaps in order to search for other vulnerable devices.

As for the new problem with MikroTik, in this case, a sniffer based on the TZSP protocol is used. It is able to send packets to remote systems using Wireshark or its analogs. The 7500 compromised routers mentioned above forwarded network traffic, mainly FTP and e-mail. Also, a small amount of data related to remote control of network devices was noted, but for a narrow IP sample. Most data packets are sent to an IP provider from Belize.



This is not the only attack of this kind. Last month it became knownabout the group of attackers who exploited the vulnerability in the routers of another manufacturer - Dlink. In this case, cybercriminals could remotely change the settings of the router's DNS service in order to redirect the device user to a resource that was created by the hackers themselves.

Router models such as DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B and DSL-526B are subject to vulnerabilities. It has already been mentioned above that few people follow the software update of routers, except for organizations where it is critically important (and not always), so that compromised routers can work for a very long time without detecting a problem. The August attack on Dlink was aimed at the clients of the two largest Brazilian banks - Banco de Brasil and Unibanco.

The attackers forged the websites of banks and redirected users to copies. As a result, unsuspecting victims entered the access data and thereby transmitted this information to cybercriminals.