News MikroTik Routers Being Hijacked to Intercept Traffic - Printable Version +- Red Security (https://redsecurity.info/cc) +-- Forum: General (https://redsecurity.info/cc/forumdisplay.php?fid=1) +--- Forum: News (https://redsecurity.info/cc/forumdisplay.php?fid=4) +--- Thread: News MikroTik Routers Being Hijacked to Intercept Traffic (/showthread.php?tid=735)

MikroTik Routers Being Hijacked to Intercept Traffic - Mad-Architect - 09-05-2018     Security Researchers from Qihoo 360 Netlab. have discovered that 7500 MikroTik routers have been compromised utilizing a malicious Socks4 proxy. They also discovered a huge crypto jacking campaign which was found targeting MikroTik routers and injecting Coinhive scripts into web traffic. This was found to have started in Brazil where over 200,00 devices were compromised. “What’s more, we have observed a huge number of victims having their Socks4 proxy enabled on the device by one single malicious actor.” reads the review published by Qihoo 360 Netlab. More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.”     The attackers or attacker was utilizing a vulnerability designated CVE-2018-14847 since about mid-July to perform the attacks. This flaw was first discovered within the CIA Vault-7 data dump which contains the code for exploitation of the flaw. They utilized this flaw using a tool called Chimay-Red. The tool itself uses two exploits in the Winbox any directory file read Webfig remote code execution vulnerability which targets ports TCP/8291, 80, and 8080.         Qihoo researchers performed a scan of over 5000 devices, 1200 of those were Mikro-Tik routers and over 30% of them are still vulnerable to CVE-2018-14847. There are still 1.2 million that are still vulnerable, and the majority of these are located in both Brazil and Russia. The vulnerability allows attackers to hijack traffic and insert malicious scripts. ---Sh7nk-Z0id