Slashdot Mirror

← Back to Stories (view on slashdot.org)

MikroTik Routers Are Forwarding Owners' Traffic To Unknown Attackers (bleepingcomputer.com)

Posted by BeauHD on from the remote-control dept.

Attackers have been exploiting vulnerabilities in MikroTik routers to forward network traffic to a handful of IP addresses under their control. "The bug is in Winbox management component and allows a remote attacker to bypass authentication and read arbitrary files," reports Bleeping Computer. "Exploit code is freely available from at least three sources from at least three sources." From the report: 360Netlab announced in a blog post today that more than 7,500 MikroTik routers across the world are currently delivering their TZSP (TaZmen Sniffer Protocol) traffic to nine external IP addresses. According to the researchers, the attacker modified the device's packet sniffing settings to forward the data to their locations. "37.1.207.114 is the top player among all the attackers. A significant number of devices have their traffic going to this destination," Qihoo experts inform.

The analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment. The largest number of compromised devices, 1,628, is in Russia, followed by Iran (637), Brazil (615), India (594) and Ukraine (544). The researchers say that security outfits in the affected countries can contact them at netlab[at]360.cn for a full list of IPs.

14 of 31 comments (clear)

  1. This is why you do not use routers by Anonymous Coward · · Score: 2, Funny

    have you inspected the source code? No, so do not use them. Just put your PC on the internet and use hosts files protection from /.

    1. Re: This is why you do not use routers by Anonymous Coward · · Score: 2, Informative

      Install Openwrt firmware instead

      Check if your router is compatible with openwrt first

      Openwrt.org

    2. Re:This is why you do not use routers by xQx · · Score: 1

      Right.

      Because Cisco let you inspect their source code, and your traffic would NEVER pass through one of those routers.

  2. This is why... by Nutria · · Score: 1

    I don't use Winbox.

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:This is why... by toejam13 · · Score: 1

      ...I don't configure my management services to listen on publicly accessible interfaces. Those services should go onto dedicated out-of-band management interfaces. Nobody from an untrusted network should be able to get anywhere near them.

  3. Lol by llamalad · · Score: 1

    So they're targeting the non-SSL versions of services.

    And SNMP being included is somehow a mystery? If you were the sort who wanted illicit access to people's systems, networks, and communications why wouldn't you want to also catch their SNMP strings? It's notoriously insecure yet shockingly common; a great way to dig deeper into a compromised site.

    1. Re:Lol by viperidaenz · · Score: 3, Informative

      For someone in the security community to not know the significance of sniffing SNMP traffic is quite sad.
      Having the community strings would give an attacker the ability to map out every device on the entire network. In some cases the right community strings would give them access to change the configuration of the routers, firewalls and switches on the network. SNMP v1 and v2 are not secure.

  4. The place I see MikroTik gear by bferrell · · Score: 1

    Is as a raw device with something like OpenWRT or other customized firmware

  5. Re:This is why you do not use cheap routers by Anonymous Coward · · Score: 1

    This was patched back in April and only affected people who left services open to the internet and not firewalled off. Even the default config protects these with firewall rules.

    In short, you had to go out of your way to screw up the config to allow this to happen AND not patch it when it was known about.

    Meanwhile, with Cisco, you get deliberate backdoors installed from the factory.

  6. IMAP is not tcp/144 by TheDarkener · · Score: 2

    The analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic

    Uhh, that's 143 for IMAP. 144 is for "NewS window system" or "Universal Management Architecture".

    --
    It is pitch black. You are likely to be eaten by a grue.
  7. Re:24 hour ban by Bert64 · · Score: 1

    Great, so send spoofed packets to your router using the source addresses of google etc, watch your router block all access to legitimate sites for 24 hours because of spoofed packets.
    After 24 hours you do it again, trivially easy denial of service.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  8. Patched in April by pradeepsekar · · Score: 4, Informative

    Patches were released by Mikrotik in April. The upgrades are easy - just a few mouse clicks. Configuring automatic upgrades is also easy. Out of the box, the routers come with a secure WAN configuration.

    Given this scenario, if users do not upgrade their router for a significant period of time, and/or configure the routers in a insecure manner, I would not apportion much blame on the supplier.

    All routers have had vulnerabilities. The question is how quickly the manufacturer fixes them, if the vulnerabilities were a result of malice or incompetence, is what I would use to judge the manufacturers. And Mikrotik would get one of the top ranks on these parameters. The article does not bring out these details.

  9. Re: what if I have multiple devices? by DontBeAMoran · · Score: 1

    So... you sort of have a border agent that wants to look at all the data on your phone before it crosses the border?

    Must be a U.S.A. router.

    --
    #DeleteFacebook
  10. Re:24 hour ban by Bert64 · · Score: 1

    Most consumer isps in the west don't, most business focused isps or transit providers do, as do many providers in other countries. Guess where someone malicious is going to launch their spoofed packet attacks from?

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!