If you own a MikroTik router, now's a good time to check if your software is up to date, as a mysterious attacker has been exploiting these devices to secretly eavesdrop on their internet traffic.
The hacker has been actively forwarding the network traffic from over 7,500 vulnerable MikroTik routers around the globe to servers under the attacker's control, according to security researchers at Qihoo 360's Netlab.
Routers in dozens of countries—including Russia, Iran, Brazil and the US—have all been ensnared in the eavesdropping scheme. However, Netlab is warning that the threat could expand since the hacker enabled the same data-forwarding protocol, called SOCKS4, in another 239,000 MikroTik routers. It isn't clear for what purpose, but so far, the attacker appears to be harvesting FTP (File Transfer Protocol) data, in addition to messaging and email traffic over SMTP, POP3, and IMAP.
Netlab researchers also noticed the scheme sniffing data related to a network management protocol that average consumers rarely use. "It is hard to say what the attacker is up to with these many SOCKS4 proxies but we think this is something significant," Netlab said in its report.
To pull this off, the hacker has been exploiting a known vulnerability in the vendor's RouterOS software that allows for remote administrative access to the device. MikroTik released a security fix in April, but according to Netlab's count, an estimated 370,000 devices remain unpatched.
Real Life. Real News. Real Voices
Help us tell more of the stories that matterBecome a founding member
The hacker behind the eavesdropping scheme appears to be the same actor who tried to exploit the routers to secretly run a cryptocurrency miner in early August. At the time, researchers estimated the mining had reached as many as 200,000 routers.
Netlab's own analysis claims the hacker's attempt to mine cryptocurrency through the routers failed to generate the virtual funds due to a configuration mistake. Nevertheless, the mining appears to have hogged the CPU resources from any device that connected to an affected MikroTik router.
- Are Hackers Happy? No, They're Probably Stressed Out Are Hackers Happy? No, They're Probably Stressed Out
- Microsoft: Russian Hackers Target US Think Tanks, Political Orgs Microsoft: Russian Hackers Target US Think Tanks, Political Orgs
- North Korean Hackers Suspected of Creating Mac-Based Malware North Korean Hackers Suspected of Creating Mac-Based Malware
Security researcher Troy Mursch told PCMag the unpatched vulnerability is also opening the door for the mysterious hacker to sell access to thousands of compromised routers on the digital black market. "Sky's the limit once you have root access," he said.
To stop the ongoing attack, router owners should update the software onboard. Owners can also deactivate the SOCKS proxy on the router, although this will require accessing the device's command line interface.
Subscribe to the newsletter news
We hate SPAM and promise to keep your email address safe