Unpatched routers being used to build vast proxy army, spy on networks

Enlarge (credit: Dirk Hoffmann / EyeEm/Getty Images)

Researchers at China's Netlab 360 have discovered that thousands of routers manufactured by the Latvian company MikroTik have been compromised by malware attacking a vulnerability revealed April. While MikroTik posted a software update for the vulnerability in April, researchers found that more than 370,000 MikroTik devices they identified on the Internet were still vulnerable. The attack comes after a previous wave based on a vulnerability made public by WikiLeaks' publication of tools from the CIA's "Vault7" toolkit.

According to a report by Netlab 360's Genshen Ye, more than 7,500 of them are actively being spied on by attackers, who are actively forwarding full captures of their network traffic to a number of remote servers. Additionally, 239,000 of the devices have been turned into SOCKS 4 proxies accessible from a single, small Internet address block.

MikroTik provides routing and wireless hardware for Internet service providers and businesses worldwide, including ISP and campus network infrastructure such as outdoor fiber routers and wireless backbones. The vulnerable routers discovered by Netlab 360, still configured with an unpatched interface for the company's Winbox router configuration utility, are widely distributed-but the largest concentrations of affected networks were in Brazil and Russia. There were 14,000 devices identified operating using US-based IP addresses.

Read 4 remaining paragraphs | Comments