Thousands Of MikroTik Routers Are Forwarding Traffic To Attackers

Thousands of MikroTik routers have been hijacked through the CVE-2018-14847 security vulnerability, this is a known bug which impacts the MikroTik RouterOS operating system. The vulnerability is present in Winbox, an administration utility in the MikroTik RouterOS which also offers a GUI for router configuration.

Version 6.42 of the OS “allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID,” according to NIST.

Researchers from 360 Netlab say that out of over five million devices with an open TCP/8291 port online, 1.2 million are MikroTik routers — of which, 370,000 devices remain unpatched against CVE-2018-14847.

Since Mid-July, the Anglerfish Honeypot System has been picking up malware exploiting the above MikroTik CVE-2018-14847 vulnerability to perform various malicious activities. Some of the activity has been spotted by other security researchers such as CoinHive mining code injecting.

Read the full report here – https://blog.netlab.360.com/7500-mikrotik-routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-en/

Top Attackers

5164 from 37.1.207.114
1347 from 185.69.155.23
1155 from 188.127.251.61
420 from 5.9.183.69
123 from 77.222.54.45
123 from 103.193.137.211
79 from 24.255.37.1
26 from 45.76.88.43
16 from 206.255.37.1

CVE-2018-14847 Detail

Winbox for MikroTik RouterOS through 6.42 allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.

Resolution

To stop the ongoing attack, router owners should update the software onboard. Owners can also deactivate the SOCKS proxy on the router, although this will require accessing the device’s command line interface.