MikroTik Routers hijacked by hackers and Redirecting User Traffic to Attackers
MikroTik RouterOS is the operating system of MikroTik RouterBOARD hardware. It can also be installed on a PC and will turn it into a router with all the necessary features – routing, firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN server and more.
Cyber Criminals compromised around 7,500+ MikroTik Routers and maliciously enables the Socks4 proxy to redirect the legitimate user’s traffic to the malicious website controlled by attackers to perform web mining and other attacks.
At present, totally 239K IPs have confirmed to have Socks4 proxy enabled maliciously and the attacker continuously scanning the MikroTik RouterOS devices with the help of this compromised Socks4 proxy.
Previously Cybercriminals infected over 1,50,000 MikroTik Routers with Coinhive Cryptojacking Campaign using site key to ultimately mining the cryptocurrency.
MikroTik provides hardware and software for Internet connectivity around the world and they also created a RouterOS software.
With this campaign, one single malicious hacker involved in enabling the Socks4 proxy on the victim’s devices and the victim’s count keeps increasing since the attacker continuously working for it.
Earlier attacks on MikroTik routers such as CIA Vault7 hacking tool Chimay Red involves 2 exploits and also another malware has exploited the MikroTik CVE-2018-14847 vulnerability to perform various malicious activities.
How Do MikroTik Routers attack Works
Once the attacker enables the Mikrotik RouterOS HTTP proxy by exploiting the vulnerability CVE-2018-14847, then the compromised devices HTTP proxy requests traffic redirect to a local HTTP 403 error page.
This error page contains a link for web mining code from coinhive where attackers perform web mining operation.
Another attack scenario represents that, an attacker enabled the Socks4 port or TCP/4153 on victims device and set the Socks4 proxy config only allows access from one single net-block 184.108.40.206/25.
Attackers mainly targeting Russia, Iran, India, Ukraine, and many more countries. So MikroTik users recommend updating the MikroTik RouterOS software system in a timely manner, and check whether the HTTP proxy, Socks4 proxy, and network traffic capture function are being maliciously exploited by attackers.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: