via arstechnica:
According to a report by Netlab 360’s Genshen Ye, more than 7,500 of them are actively being spied on by attackers, who are actively forwarding full captures of their network traffic to a number of remote servers. Additionally, 239,000 of the devices have been turned into SOCKS 4 proxies accessible from a single, small Internet address block.
MikroTik provides routing and wireless hardware for Internet service providers and businesses worldwide, including ISP and campus network infrastructure such as outdoor fiber routers and wireless backbones. The vulnerable routers discovered by Netlab 360, still configured with an unpatched interface for the company’s Winbox router configuration utility, are widely distributed—but the largest concentrations of affected networks were in Brazil and Russia. There were 14,000 devices identified operating using US-based IP addresses.
Previously, researchers at Trustwave had discovered two malware campaigns against MikroTik routers based on an exploit reverse-engineered from a tool in the Vault7 leak—the first originally targeting routers in Brazil with CoinHive malware. The attack injected the Coinhive JavaScript into an error page presented by the routers’ Web proxy server—and redirected all Web requests from the network to that error page. However, in routers affected by this type of malware found by the Netlab 360 team, the attackers had shot themselves in the foot. “All the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs (access control lists) set by attackers themselves,” noted Ye.
I’ve been very happy with the security features of Ubiquiti’s UniFi line of prosumer-grade network gear, which came recommended to me by an IT friend.
h/t SG