Thousands of MikroTik routers have been hijacked through the CVE-2018-14847 security vulnerability, this is a known bug which impacts the MikroTik RouterOS operating system. The vulnerability is present in Winbox, an administration utility in the MikroTik RouterOS which also offers a GUI for router configuration.
Version 6.42 of the OS “allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID,” according to NIST.
Researchers from 360 Netlab say that out of over five million devices with an open TCP/8291 port online, 1.2 million are MikroTik routers — of which, 370,000 devices remain unpatched against CVE-2018-14847.
Since Mid-July, the Anglerfish Honeypot System has been picking up malware exploiting the above MikroTik CVE-2018-14847 vulnerability to perform various malicious activities. Some of the activity has been spotted by other security researchers such as CoinHive mining code injecting.
5164 from 188.8.131.52
1347 from 184.108.40.206
1155 from 220.127.116.11
420 from 18.104.22.168
123 from 22.214.171.124
123 from 126.96.36.199
79 from 188.8.131.52
26 from 184.108.40.206
16 from 220.127.116.11
Winbox for MikroTik RouterOS through 6.42 allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.
To stop the ongoing attack, router owners should update the software onboard. Owners can also deactivate the SOCKS proxy on the router, although this will require accessing the device’s command line interface.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.