Thousands of MikroTik routers have been hijacked through the CVE-2018-14847 security vulnerability, this is a known bug which impacts the MikroTik RouterOS operating system. The vulnerability is present in Winbox, an administration utility in the MikroTik RouterOS which also offers a GUI for router configuration.
Version 6.42 of the OS “allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID,” according to NIST.
Researchers from 360 Netlab say that out of over five million devices with an open TCP/8291 port online, 1.2 million are MikroTik routers — of which, 370,000 devices remain unpatched against CVE-2018-14847.
Since Mid-July, the Anglerfish Honeypot System has been picking up malware exploiting the above MikroTik CVE-2018-14847 vulnerability to perform various malicious activities. Some of the activity has been spotted by other security researchers such as CoinHive mining code injecting.
5164 from 22.214.171.124
1347 from 126.96.36.199
1155 from 188.8.131.52
420 from 184.108.40.206
123 from 220.127.116.11
123 from 18.104.22.168
79 from 22.214.171.124
26 from 126.96.36.199
16 from 188.8.131.52
Winbox for MikroTik RouterOS through 6.42 allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.
To stop the ongoing attack, router owners should update the software onboard. Owners can also deactivate the SOCKS proxy on the router, although this will require accessing the device’s command line interface.