• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SonicWall warns customers to reset credentials after MySonicWall backups were exposed

 | 

CVE-2025-10585 is the sixth actively exploited Chrome zero-day patched by Google in 2025

 | 

Jaguar Land Rover will extend its production halt into a third week following a cyberattack

 | 

China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

 | 

Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service

 | 

DoJ resentenced former BreachForums admin to three years in prison

 | 

Apple backports fix for actively exploited CVE-2025-43300

 | 

New supply chain attack hits npm registry, compromising 40+ packages

 | 

Cybercrime group accessed Google Law Enforcement Request System (LERS)

 | 

China-linked Mustang Panda deploys advanced SnakeDisk USB worm

 | 

Insider breach at FinWise Bank exposes data of 689,000 AFF customers

 | 

Hackers steal millions of Gucci, Balenciaga, and Alexander McQueen customer records

 | 

Fairmont Federal Credit Union 2023 data breach impacted 187K people

 | 

UK ICO finds students behind majority of school data breaches

 | 

INC ransom group claimed the breach of Panama’s Ministry of Economy and Finance

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 62

 | 

Security Affairs newsletter Round 541 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

ShinyHunters Attack National Credit Information Center of Vietnam

 | 

FBI warns of Salesforce attacks by UNC6040 and UNC6395 groups

 | 

HybridPetya ransomware bypasses UEFI Secure Boot echoing Petya/NotPetya

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Internet of Things
  • Experts warn of 7,500+ MikroTik Routers that are hijacking owners’ traffic

Experts warn of 7,500+ MikroTik Routers that are hijacking owners’ traffic

Pierluigi Paganini September 04, 2018

The security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously

Earlier August, experts uncovered a massive crypto jacking campaign that was targeting  MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it is rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

Now experts from the security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously, allowing attackers to hijack the traffic of the hacked devices.

“What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.” reads the analysis published by Qihoo 360 Netlab. 

“More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.”

According to the researchers, since Mid-July the hackers are exploiting the CVE-2018-14847 vulnerability in MikroTik routers to carry out the attacks.

The CVE-2018-14847 flaw was first revealed by WikiLeaks as part of the CIA Vault7 dump, the code for the exploitation of the issue was included in the hacking tool Chimay Red.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

Communication ports associated with the Winbox and Webfig are TCP/8291, TCP/80, and TCP/8080.

The researchers scanned the Internet for vulnerable devices, they found more than 5,000K devices with open TCP/8291 port, and 1,200k of them are Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.

Summarizing, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit because owners have not updated them.

Most of the vulnerable devices are located in Brazil, Russia, and Indonesia.

Mikrotik routers vulnerable

 

Netlab experts have detected a malware exploiting the CVE-2018-14847 vulnerability in the Mikrotik routers to perform a broad range of malicious activities, including traffic hijacking and CoinHive mining code injection.

The analysis shared by the experts includes the attack scenarios.

  • CoinHive Mining Code Injection

Once enabled the Mikrotik RouterOS HTTP proxy, the attackers hijack the HTTP proxy requests to a local HTTP 403 error page which injects a link for web mining code from Coinhive. Anyway the mining code used in this way cannot work because all the external web resources, including coinhive.com ones, are blocked by the proxy ACLs set by attackers themselves.”

  • Maliciously Enabling Sock4 Proxy

The attackers enabled the Socks4 port or TCP/4153 on victims device, in this way the attacker gain persistence on the router even after it has been rebooted (IP change) by periodically reporting its latest IP address to the attacker’s URL.

“a total of 239K IPs are confirmed to have Socks4 proxy enabled maliciously. The Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block 95.154.216.128/25.” states the report

“In order for the attacker to gain control even after device reboot(ip change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL.”

Experts pointed out that all the 239,000 IP addresses only allow access from 95.154.216.128/25, actually mainly from the 95.154.216.167 address.

  • Eavesdropping

The MikroTik RouterOS devices to capture packets on the router and forward them to the specified Stream server, this feature could be abused by attackers to forward the traffic to IP addresses controlled by them. Experts noticed that a significant number of devices have their traffic going to the 37.1.207.114 IP.

Don’t waste time, update the MikroTik devices and also check if the HTTP proxy, Socks4 proxy, and network traffic capture function are being abused by attackers.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MikroTik routers, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

CVE-2018-14847 Hacking MikroTik Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini September 18, 2025
SonicWall warns customers to reset credentials after MySonicWall backups were exposed
Read more
Pierluigi Paganini September 18, 2025
Jaguar Land Rover will extend its production halt into a third week following a cyberattack
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SonicWall warns customers to reset credentials after MySonicWall backups were exposed

    Data Breach / September 18, 2025

    CVE-2025-10585 is the sixth actively exploited Chrome zero-day patched by Google in 2025

    Uncategorized / September 18, 2025

    Jaguar Land Rover will extend its production halt into a third week following a cyberattack

    Security / September 18, 2025

    China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

    APT / September 17, 2025

    Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service

    Cyber Crime / September 17, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT