Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.
The campaign started in Brazil, but it is rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.
Now experts from the security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously, allowing attackers to hijack the traffic of the hacked devices.
“What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.” reads the analysis published by Qihoo 360 Netlab.
“More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.”
According to the researchers, since Mid-July the hackers are exploiting the CVE-2018-14847 vulnerability in MikroTik routers to carry out the attacks.
The CVE-2018-14847 flaw was first revealed by WikiLeaks as part of the CIA Vault7 dump, the code for the exploitation of the issue was included in the hacking tool Chimay Red.
The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.
Communication ports associated with the Winbox and Webfig are TCP/8291, TCP/80, and TCP/8080.
The researchers scanned the Internet for vulnerable devices, they found more than 5,000K devices with open TCP/8291 port, and 1,200k of them are Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.
Summarizing, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit because owners have not updated them.
Most of the vulnerable devices are located in Brazil, Russia, and Indonesia.
Netlab experts have detected a malware exploiting the CVE-2018-14847 vulnerability in the Mikrotik routers to perform a broad range of malicious activities, including traffic hijacking and CoinHive mining code injection.
The analysis shared by the experts includes the attack scenarios.
Once enabled the Mikrotik RouterOS HTTP proxy, the attackers hijack the HTTP proxy requests to a local HTTP 403 error page which injects a link for web mining code from Coinhive. Anyway the mining code used in this way cannot work because all the external web resources, including coinhive.com ones, are blocked by the proxy ACLs set by attackers themselves.”
The attackers enabled the Socks4 port or TCP/4153 on victims device, in this way the attacker gain persistence on the router even after it has been rebooted (IP change) by periodically reporting its latest IP address to the attacker’s URL.
“a total of 239K IPs are confirmed to have Socks4 proxy enabled maliciously. The Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block 18.104.22.168/25.” states the report
“In order for the attacker to gain control even after device reboot(ip change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL.”
Experts pointed out that all the 239,000 IP addresses only allow access from 22.214.171.124/25, actually mainly from the 126.96.36.199 address.
The MikroTik RouterOS devices to capture packets on the router and forward them to the specified Stream server, this feature could be abused by attackers to forward the traffic to IP addresses controlled by them. Experts noticed that a significant number of devices have their traffic going to the 188.8.131.52 IP.
Don’t waste time, update the MikroTik devices and also check if the HTTP proxy, Socks4 proxy, and network traffic capture function are being abused by attackers.