Pwned MikroTik Routers Eavesdrops On Network Traffic

Another day, another hack!

It’s been just a month that the news of a crypto-mining malware campaign that compromised more than 200,000 MikroTik routers was out. And now, another report is creating a disturbance.

Chinese security researchers at Qihoo 360 Netlab have recently found that more than 7500 routers were compromised to actively eavesdrop on the targeted network traffic.

Exploited by the CIA Vault 7 hacking tool called Chimay Red, the vulnerabilities in all the MikroTik routers are Winbox (CVE-2018-14847) and Webfig remote code execution vulnerability. With communication ports TCP/8291, TCP/80, and TCP/8080, both Winbox and Webfig are RouterOS management components. Basically designed for Microsoft Windows, Winbox allows attackers to manually configure the pwned routers to bypass authentication and read arbitrary files.

As a safety move, vendors have rolled out security updates to close the loophole. But according to researchers, there is still a numerous number of MikroTik routers that are vulnerable to CVE-2018-14847. Victims of the malware campaign are spread across several nations: Russia, Iran, Brazil, India, Ukraine, Bangladesh, Indonesia, Ecuador, the United States, Argentina, Colombia, Poland, Kenya, Iraq, and few more European and Asian nations with Russia being the most affected.

If you think even your router is affected, the best way to protect yourself is to PATCH. It is highly recommended that users update their MikroTik routers and check if the HTTP proxy, Socks4 proxy, and network traffic capture function are being maliciously exploited.