Updated Routers Are Under Hacker's Torture

NetLab 360 found hackers listening to network traffic from untreated routers from MicroTik

Researchers of Chinese Netlab 360, Latvian router brand MicroTik routers, WikiLeaks' CIA "Vault7" tool

A report by Genshen Ye from Netlab 360 revealed that more than 7500 routers were being watched by attackers actively routing network traffic to remote servers. . In addition, 239 thousand devices have been converted to SOCKS 4 proxyler, which can be accessed from a small Internet address block.

Worldwide Internet, including ISS and campus network infrastructures, such as microtext, open-air fiber routers and wireless backbones providing routing and wireless hardware for service providers and businesses. These vulnerable routers, discovered by NetLab 360 and quite common, still use an untested interface of the company's Winbox router configuration program. The most affected nets are in Brazil and Russia. The number of devices using US-based IP addresses is 14,000.

Previously, researchers at Trustwave had discovered two malware targeting Microtick routers; CoinHive was targeting malicious and routers in Brazil. The attack injected Coinhive JavaScript into an error page served by the router's Web proxy server and redirected all web requests from the network to the error page. However, in the routers affected by this malware discovered by the Netlab 360 team, the attackers were squeezed into their own heels, "All external web resources, including those from and the resources required for digital money mining, are being blocked by access control lists set up by the attackers themselves," said Genshen Ye.

Netlab 360 Another attack discovered by the team is to turn the affected routers into a malicious proxy network using the SOCKS4 protocol over 4153, a very unused TCP port. Another explanation of Ye is "It is very interesting that Socks4 proxy settings only allowed block". Almost all of the traffic goes to the address, which is associated with a hosting service in the UK.

The attack is that the IP address of the router is restored to the attacker in order to help maintain the continuity of the SOCKS proxy when the router is restarted. It also includes a scheduled task to be notified. It is not clear what proxy is collected for, but they are now constantly being used to find other vulnerable routers.


            5 Simple Ways to Provide Your Protection from Hackers

The listening attack utilizes MicroTik's built-in packet sniffing capabilities. The sniffer using the TZSP protocol can send packet streams to a remote system using Wireshark or other packet monitoring tools. The Netlab 360 team noticed that more than 7,500 routers captured captured network traffic-some of the traffic flows associated with large FTP and email-centric traffic and network management-only a few adrese. The vast majority of flows (5,164) were being sent to an Adrese associated with an Internet Service Provider in Belize.