Security researchers at Chinese security company Qihoo 360 Netlab have discovered 7,500 MicroTik routers have been compromised and forwarding traffic to attackers.
Out of 1.2M devices scanned, 370,000 (or 30.83%) are vulnerable to Winbox Any Directory File Read vulnerability (CVE-2018-14847).
According to WikiLeaks, CVE-2018-14847 is one of two exploits included in the CIA Vault7 hacking tool Chimay Red. The other exploit being the Webfig Remote Code Execution vulnerability.
The Winbox vulnerability affects MikroTik RouterOS through version 6.42 and could allow a remote attacker to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.
Qihoo 360 also observed a large number of victims had their Socks4 proxy enabled on the device by one malicious actor.
The company further discovered more than 7,500 victim devices were being actively eavesdropped, while forwarding traffic to IPs controlled by still unknown attackers, according to the Qihoo 360 report.
Users are highly encouraged to update their MikroTik RouterOS in a timely manner and monitor http proxy, Socks4 proxy and network traffic capture function for any malicious activity by remote attackers.
Qihoo 360 also recommends MikroTik denies inbound access to the Webfig and Winbox ports from the internet and improve the software security update mechanism.