According to security researchers at Qihoo 360 Netlab, more than 7,400 MikroTik routers have had unknown attackers eavesdropping on their traffic.

The attacks were concentrated in Russia, Iran, Brazil, and Ukraine. Russia experienced the most attacks with 1,628 recorded instances of eavesdropping, while the other aforementioned countries experienced between 540-640 attacks each. It is important to note that the reason why Russia experienced so many more attacks may have to do with geography. MikroTik is a Latvian-based company, so Russia’s close proximity should lead to more MikroTik hardware.

The researchers have said that they have seen a “massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.” It has been determined that the attackers are exploiting vulnerabilities that have been patched since April and using tools that originate from Vault7’s Chimay Red. Through this, the MikroTik TZSP (TaZmen Sniffer Protocol) traffic has been forwarded to external IP addresses.

The attackers are focused on FTP-data and FTP, SMTP, POP3, and IMAP ports to intercept traffic. There’s also evidence that they are interested in SNMP ports 161 and 162. The attacker/s have also managed to leave a trail of breadcrumbs. The HTTP proxy they are using forwards traffic to an HTTP 403 error page that has a link for crypto-mining code from coinhive.com. This has lead the researchers to believe the attackers intent is to perform crypto-mining via proxy traffic of the routers. Hilariously, the resources necessary for web mining are blocked by the very same proxy that had been set up by the attackers themselves.

To avoid issues like this from happening in the first place, it is important to establish a network with recommended hardware and software-based security solutions. If your organization does not have the resources required to create such a network, look into 3rd party solutions. CHR Managed Services has plenty of experience employing cybersecurity best practices while engineering reliable and secure networks. We also offer services like NetFlow, a software solution that would alert all relevant parties in the event of an attack such as MikroTik’s.

Subscribe to Our Newsletter!

Sign up with your email address to receive news and updates.

* indicates required