MikroTik Routers Are Forwarding Owners’ Traffic to the Attackers [source: netlab.360]

2018-09-05 11:00 GMT+8, with the generous help from the AS64073, has been promptly suspended and is no longer a threat.


MikroTik is a Latvian company founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in countries around the world. In 1997, MikroTik created the RouterOS software system. In 2002, MikroTik decided to build its own hardware and created the RouterBOARD brand. Each RouterBOARD device runs the RouterOS software system.[1]

According to WikiLeaks, the CIA Vault7 hacking tool Chimay Red involves 2 exploits, including Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.[2]

Both Winbox and Webfig are RouterOS management components, while Winbox is a Windows GUI application and the Webfig is web based. Their corresponding communion ports are TCP/8291, TCP/80, and TCP/8080. [3] [4]

Since Mid-July, our Anglerfish Honeypot System has been picking up malware exploiting the above MikroTik CVE-2018-14847 vulnerability to perform various malicious activities. Some of the activity has been spotted by other security researchers such as CoinHive mining code injecting.[5][6]

What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.

More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.

From 2018-08-09, we have made multiple rounds of measurements to calculate the scale of the CVE-2018-14847 vulnerability and exploitability on the Internet. We strictly followed the Winbox communication protocol to make sure those devices are indeed MikroTik routers, and to verify if the device has been hacked and what the hacked box is being up to. We understand the user devices come and go on the internet all the time, so the data used in this blog reflects what we saw between 2018-08-23~2018-08-24.

For more, click here.