NetLab 360 found hackers listening to network traffic from untreated routers from MicroTik
Researchers of Chinese Netlab 360, Latvian router brand MicroTik routers, WikiLeaks' CIA "Vault7" tool
A report by Genshen Ye from Netlab 360 revealed that more than 7500 routers were being watched by attackers actively routing network traffic to remote servers. . In addition, 239 thousand devices have been converted to SOCKS 4 proxyler, which can be accessed from a small Internet address block.
Worldwide Internet, including ISS and campus network infrastructures, such as microtext, open-air fiber routers and wireless backbones providing routing and wireless hardware for service providers and businesses. These vulnerable routers, discovered by NetLab 360 and quite common, still use an untested interface of the company's Winbox router configuration program. The most affected nets are in Brazil and Russia. The number of devices using US-based IP addresses is 14,000.
Netlab 360 Another attack discovered by the team is to turn the affected routers into a malicious proxy network using the SOCKS4 protocol over 4153, a very unused TCP port. Another explanation of Ye is "It is very interesting that Socks4 proxy settings only allowed block 126.96.36.199/25". Almost all of the traffic goes to the address 188.8.131.52, which is associated with a hosting service in the UK.
The attack is that the IP address of the router is restored to the attacker in order to help maintain the continuity of the SOCKS proxy when the router is restarted. It also includes a scheduled task to be notified. It is not clear what proxy is collected for, but they are now constantly being used to find other vulnerable routers.
5 Simple Ways to Provide Your Protection from Hackers
The listening attack utilizes MicroTik's built-in packet sniffing capabilities. The sniffer using the TZSP protocol can send packet streams to a remote system using Wireshark or other packet monitoring tools. The Netlab 360 team noticed that more than 7,500 routers captured captured network traffic-some of the traffic flows associated with large FTP and email-centric traffic and network management-only a few adrese. The vast majority of flows (5,164) were being sent to an Adrese associated with an Internet Service Provider in Belize.