X-Industry

Summary

Mikrotik is a Latvian router and is popular hardware product in many countries.  Beginning in 2018, attackers began exploiting vulnerabilities for Mikrotik routers, as well as attempting brute force attacks.  As a result, compromised Mikrotik routers have since been leveraged in a host of botnet related activities and fraud.  Many of the compromised Mikrotik devices were also made into SOCKS or HTTP proxies and were reported in a number anonymous proxy lists.

In March of 2019, Wapack Labs performed an inventory of 50K anonymous proxies reported over a several week period and identified the vast majority of them as Mikrotik routers.  This new finding highlights the vulnerability of home routers and underscores the proliferation of the Mikrotik botnet.

 

Analysis

In 2018, Radware reported on a new botnet targeting Mikrotik routers.  The botnet propagated by aggressively scanning port 8291, which is the port for Winbox – the utility that allows remote administration of the Mikrotik RouterOS.[1]  Upon identification of a Mikrotik device, the botnet worm attempts the ChimayRed exploit on several popular HTTP ports.[2]  Since the Radware report, the number of Mikrotik router infections has steadily increased.

From February 4th 2019 to March 2nd 2019, Wapack Labs collected IP addresses for anonymous proxies active during that timeframe.  Out of 62242 proxy IP address, a total of 39666 were identified as Mikrotik routers, or 63% of all observed proxies.  It is possible the percentage may be larger as Wapack Labs only referenced existing data from Shodan scans.[3]  Among the compromised Mikrotik proxies, the majority were identified as SOCKS4,HTTP, or both:

Proxy Type

Proxy Count

SOCKS4 proxy

23949

HTTP proxy

20207

SOCKS5H proxy

159

SOCKS5 proxy

72

SOCKS4A proxy

54

 

Numerous ports were observed for the proxies however the two most common were 4145 and 8080, as shown in Figure 1.

Additional trending on the proxies shows common networks.  The following image shows the distribution of autonomous systems hosting the proxies. The second is AS4134 NO.31, Jin-Rong Street which is one of the most prolific ASNs seen in various botnet activity.[1]

 

The compromised Mikrotik routers/proxies were observed globally, however some areas were more affected including South America, Eastern Europe and Asia.  Figure 3. shows the geographic distribution of the Mikrotik proxies.

 

Flow data exposed interesting traffic connecting to 79 Chinese IP addresses.  A total 664 of the routers were observed making connections to a number of different Chinese IP addresses on various ports, primarily 8160-8167.  While unconfirmed, it is possible the Chinese infrastructure is being used in a command and control capacity to administer the proxies.

 

Possible C2s

ASN

Proxies connecting

Ports

123.129.217.115

AS4837 CHINA UNICOM China169 Backbone

295

8168, 8165, 8166, 8167

123.129.217.30

AS4837 CHINA UNICOM China169 Backbone

233

8160, 8163

123.129.217.200

AS4837 CHINA UNICOM China169 Backbone

213

8161, 8165

103.91.209.4

AS4837 CHINA UNICOM China169 Backbone

189

8160, 8161, 8162, 8163, 8164, 8165, 8166, 8167

123.129.217.49

AS4837 CHINA UNICOM China169 Backbone

173

8170, 8171, 8172, 8173, 8174, 8175

103.60.165.131

AS23650 AS Number for CHINANET jiangsu province backbone

147

8160, 8161, 8162, 8163

27.159.82.11

AS4134 No.31,Jin-rong Street

140

8160, 8161, 8162, 8163

103.91.208.220

AS4837 CHINA UNICOM China169 Backbone

135

8160, 8161, 8162, 8163

27.159.67.106

AS4134 No.31,Jin-rong Street

125

8160, 8161, 8162, 8163, 8164, 8165

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Flow data also revealed multiple connections to what were likely proxy scanners as well as multiple mail servers, specifically for centrum which is a Slovakian news and media company with free-mail services.  The volume of mail traffic may be an indicator of a mass mailing campaigns using Centrum addresses and the Mikrotik proxies for sending the emails, see below:

endpoint

asn_

Proxies connecting

comment

208.77.20.27

AS11878 tzulo, inc.

3898

proxy scanner

68.235.38.39

AS11878 tzulo, inc.

3724

proxy scanner

68.235.38.56

AS11878 tzulo, inc.

3241

proxy scanner

46.255.231.8

AS43614 Economia a.s.

3088

mail-imap-centrumcz.centrum.cz

46.255.231.172

AS43614 Economia a.s.

3052

smtp.centrum.sk

46.255.231.94

AS43614 Economia a.s.

2917

smtp.centrum.sk

62.149.128.42

AS31034 Aruba S.p.A.

2480

imaps.aruba.it

46.255.231.95

AS43614 Economia a.s.

2402

smtp.volny.cz

46.255.231.11

AS43614 Economia a.s.

2185

mail-imap-centrumsk.centrum.cz

46.255.231.106

AS43614 Economia a.s.

1897

atlas-redir.centrum.cz

46.255.231.36

AS43614 Economia a.s.

1677

mailxx.centrum.cz

162.212.152.211

AS11878 tzulo, inc.

1519

proxy scanner

46.255.231.87

AS43614 Economia a.s.

1495

srch-cz-fe.centrum.cz

62.149.128.72

AS31034 Aruba S.p.A.

1366

mxd4.aruba.it

47.88.146.98

AS45102 Alibaba (China) Technology Co., Ltd.

1362

extranet.airasia.com

46.255.231.9

AS43614 Economia a.s.

1350

mail-imap-volnycz.centrum.cz

31.13.95.36

AS32934 Facebook, Inc.

1309

facebook

149.62.168.145

AS50926 Infortelecom Hosting S.L.

1306

pleskl38.axarnet.es

46.255.231.10

AS43614 Economia a.s.

1304

mail-imap-centrumcz.centrum.cz

 

 

Conclusion

Anonymous proxies are a popular tool for many cybercriminals as they allow for obfuscation of source traffic.  The Mikrotik routers supplied by the expanding botnet are ideal candidates for proxies as there is a growing number of them and they are geographically diverse.  Mikrotik botnet shows no signs of slowing down, since routers are less likely to be patched on home computers.  Users typically need to install router updates and patches manually meaning many of them never receive security patches.

 

 

[1] https://www.spamhaus.org/statistics/botnet-asn/

 

[1] https://blog.radware.com/security/2018/03/mikrotik-routeros-based-botnet/

[2] https://github.com/BigNerd95/Chimay-Red/blob/master/POCs/StackClashMIPS_6384.py

[3] https://www.shodan.io/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance