Attackers compromising MikroTik routers have configured the devices to forward network traffic to a handful of IP addresses under their control.

Cybercriminals gained access to the devices by exploiting  CVE-2018-14847, a vulnerability that has been patched since April.

The bug is in Winbox management component and allows a remote attacker to bypass authentication and read arbitrary files. Exploit code is freely available from at least three sources from at least three sources (1, 2, 3).

Starting the middle of July, security researchers from Qihoo 360 Netlab noticed on their honeypot system malicious activity aimed at MikroTik routers.

Their observations revealed the recent cryptojacking campaign that affected over 200,000 devices, as well as an operation intended to collect traffic from compromised devices.

Attackers vacuum the traffic

360Netlab announced in a blog post today that more than 7,500 MikroTik routers across the world are currently delivering their TZSP (TaZmen Sniffer Protocol) traffic to nine external IP addresses.

According to the researchers, the attacker modified the device's packet sniffing settings to forward the data to their locations.

"37.1.207.114 is the top player among all the attackers. A significant number of devices have their traffic going to this destination," Qihoo experts inform.

The analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 143, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment.

The largest number of compromised devices, 1,628, is in Russia, followed by Iran (637), Brazil (615), India (594) and Ukraine (544). The researchers say that security outfits in the affected countries can contact them at netlab[at]360.cn for a full list of IPs.

Failed mining operation

Qihoo's analysis discovered that about 31% of MikroTik devices currently exposed online are vulnerable to CVE-2018-14847. This accounts for 370,000 endpoints, most of them present in Brazil and Russia.

Current attacks seek to infect them with the browser-based Coinhive cryptomining script. Cybercriminals achieve this by redirecting HTTP proxy settings to an error page they created, where they placed the mining script.

"By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users’ devices," the researchers say.

However, the attackers made a mistake and set up proxy access control lists that block all external web resources, including those required for the mining operation.

Malicious Sock4 proxy setup

The largest number of compromised MikroTik routers have a malicious Socks4 proxy configured, which allows access from the 95.154.216.128/25 IP address block.

To achieve persistence, the adversary scheduled a task on the device to report its current IP address by connecting to a specific URL.

"At this point, all the 239K IPs only allow access from 95.154.216.128/25, actually mainly 95.154.216.167. It is hard to say what the attacker is up to with these many Sock4 proxies but we think this is something significant," inform the experts.

Researchers recommend MikroTik users to install the latest firmware version on the device. Based on the information provided by Qihoo users can check if HTTP proxy, Socks4 proxy, and network traffic capture features are active and exploited by a malicious actor.

Update 9/4/18: Fixed typo that stated TCP port 144 instead of 143.