Researchers at China's Netlab 360 have discovered that thousands of routers manufactured by the Latvian company MikroTik have been compromised by malware attacking a vulnerability revealed April. While MikroTik posted a software update for the vulnerability in April, researchers found that more than 370,000 MikroTik devices they identified on the Internet were still vulnerable. The attack comes after a previous wave based on a vulnerability made public by WikiLeaks' publication of tools from the CIA's "Vault7" toolkit.

According to a report by Netlab 360's Genshen Ye, more than 7,500 of them are actively being spied on by attackers, who are actively forwarding full captures of their network traffic to a number of remote servers. Additionally, 239,000 of the devices have been turned into SOCKS 4 proxies accessible from a single, small Internet address block.

MikroTik provides routing and wireless hardware for Internet service providers and businesses worldwide, including ISP and campus network infrastructure such as outdoor fiber routers and wireless backbones. The vulnerable routers discovered by Netlab 360, still configured with an unpatched interface for the company's Winbox router configuration utility, are widely distributed—but the largest concentrations of affected networks were in Brazil and Russia. There were 14,000 devices identified operating using US-based IP addresses.

Previously, researchers at Trustwave had discovered two malware campaigns against MikroTik routers based on an exploit reverse-engineered from a tool in the Vault7 leak—the first originally targeting routers in Brazil with CoinHive malware. The attack injected the Coinhive JavaScript into an error page presented by the routers' Web proxy server—and redirected all Web requests from the network to that error page. However, in routers affected by this type of malware found by the Netlab 360 team, the attackers had shot themselves in the foot. "All the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs (access control lists) set by attackers themselves," noted Ye.

Another attack discovered by the Netlab 360 team has turned affected routers into a malicious proxy network, using the SOCKS4 protocol over a very non-standard TCP port (4153). "Very interestingly, the Socks4 proxy config only allows access from one single net-block, 95.154.216.128/25," Ye wrote. Almost all of the traffic is going to 95.154.216.167, an address associated with a hosting service in the United Kingdom.

The attack includes the addition of a scheduled task to report the router's IP address back to the attacker to help maintain the persistence of the SOCKS proxy if the router is rebooted. It's not clear what the proxies are being collected for, but they're currently being used to continuously scan for other vulnerable routers.

The eavesdropping attack leverages MikroTik's built-in packet-sniffing capabilities. The sniffer, which uses the TZSP protocol, can send a stream of packets to a remote system using Wireshark or other packet capture tools. The Netlab 360 team found that more than 7,500 routers that had been compromised were streaming network traffic—largely FTP and email focused traffic, as well as some traffic associated with network management—to a small number of addresses. The vast majority of the streams (5,164 of them) were being sent to an address associated with an ISP in Belize.