7,500 MikroTik routers being eavesdropped, traffic forwarded to attackers

If you have a MikroTik router, then take the time to make sure it is running the latest firmware since security researchers discovered thousands of compromised MikroTik routers are sending traffic to nine attacker-controlled IPs.

Via a honeypot since July, researchers from the China-based Netlab 360 noticed malware exploiting MikroTik routers. Attackers are exploiting the MikroTik CVE-2018-14847 flaw which was patched in April.

The critical vulnerability, involving Winbox for MikroTik, “allows remote attackers to bypass authentication and read arbitrary files.” Proof-of-concept exploits have been around for several months; that same vulnerability, the researchers pointed out, was exploited by the CIA’s hacking tool Chimay Red according to WikiLeaks Vault7.

Some router owners might have patched within the last month to avoid becoming infected with cryptocurrency malware as security researchers found several Coinhive cryptojacking campaigns aimed at thousands of MikroTik routers.