Security Researchers at Qihoo 360 Netlab have found that over 7500 MikroTik routers have been compromised using a malicious Socks4 proxy. Experts also revealed a massive crypto jacking campaign which was targeting MikroTik routers and injecting Coinhive scripts into web traffic. The campaign initially started in Brazil where over 200,000 devices were compromised.
How are Hackers Hijacking the Traffic of the Routers?
The researchers at Qihoo 360 Netlab found that over 7500 MikroTik Routers have been compromised that enabled a Socks4 Proxy in the victim’s device which allows them to hijack traffic of the device.
“What’s more, we have observed a huge number of victims having their Socks4 proxy enabled on the device by one single malicious actor.” reads the review published by Qihoo 360 Netlab. More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.”
Hackers have been exploiting the vulnerability CVE-2018-14847 since mid-July to perform the attacks. The flaw was first found within the CIA Vault7 dump which has code for exploitation of the flaw using a tool named Chimay Red. The tool uses two exploits in the Winbox any directory file read (CVE-2018-14847) and Webfig remote code execution vulnerability which targets ports TCP/8291,80 and 8080.
How many routers are affected by this vulnerability?
Researchers at the company have performed a scan of over 5000K devices, 1200K of those are MikroTik routers and more than 30% of them are vulnerable to the above vulnerability. 370,000 of the 1.2 Million routers are vulnerable to the exploit, their firmware has not been patched yet with most of the vulnerable devices located in Brazil and Russia. The above vulnerability allows the attacker to hijack traffic and insert malicious scripts or a coin miner like CoinHive.
Take your time to comment on this article.