Summary
Mikrotik is a Latvian router and is popular hardware product in many countries. Beginning in 2018, attackers began exploiting vulnerabilities for Mikrotik routers, as well as attempting brute force attacks. As a result, compromised Mikrotik routers have since been leveraged in a host of botnet related activities and fraud. Many of the compromised Mikrotik devices were also made into SOCKS or HTTP proxies and were reported in a number anonymous proxy lists.
In March of 2019, Wapack Labs performed an inventory of 50K anonymous proxies reported over a several week period and identified the vast majority of them as Mikrotik routers. This new finding highlights the vulnerability of home routers and underscores the proliferation of the Mikrotik botnet.
Analysis
In 2018, Radware reported on a new botnet targeting Mikrotik routers. The botnet propagated by aggressively scanning port 8291, which is the port for Winbox – the utility that allows remote administration of the Mikrotik RouterOS.[1] Upon identification of a Mikrotik device, the botnet worm attempts the ChimayRed exploit on several popular HTTP ports.[2] Since the Radware report, the number of Mikrotik router infections has steadily increased.
From February 4th 2019 to March 2nd 2019, Wapack Labs collected IP addresses for anonymous proxies active during that timeframe. Out of 62242 proxy IP address, a total of 39666 were identified as Mikrotik routers, or 63% of all observed proxies. It is possible the percentage may be larger as Wapack Labs only referenced existing data from Shodan scans.[3] Among the compromised Mikrotik proxies, the majority were identified as SOCKS4,HTTP, or both:
Proxy Type | Proxy Count |
SOCKS4 proxy | 23949 |
HTTP proxy | 20207 |
SOCKS5H proxy | 159 |
SOCKS5 proxy | 72 |
SOCKS4A proxy | 54 |
Numerous ports were observed for the proxies however the two most common were 4145 and 8080, as shown in Figure 1.
Additional trending on the proxies shows common networks. The following image shows the distribution of autonomous systems hosting the proxies. The second is AS4134 NO.31, Jin-Rong Street which is one of the most prolific ASNs seen in various botnet activity.[1]
The compromised Mikrotik routers/proxies were observed globally, however some areas were more affected including South America, Eastern Europe and Asia. Figure 3. shows the geographic distribution of the Mikrotik proxies.
Flow data exposed interesting traffic connecting to 79 Chinese IP addresses. A total 664 of the routers were observed making connections to a number of different Chinese IP addresses on various ports, primarily 8160-8167. While unconfirmed, it is possible the Chinese infrastructure is being used in a command and control capacity to administer the proxies.
Possible C2s | ASN | Proxies connecting | Ports |
123.129.217.115 | AS4837 CHINA UNICOM China169 Backbone | 295 | 8168, 8165, 8166, 8167 |
123.129.217.30 | AS4837 CHINA UNICOM China169 Backbone | 233 | 8160, 8163 |
123.129.217.200 | AS4837 CHINA UNICOM China169 Backbone | 213 | 8161, 8165 |
103.91.209.4 | AS4837 CHINA UNICOM China169 Backbone | 189 | 8160, 8161, 8162, 8163, 8164, 8165, 8166, 8167 |
123.129.217.49 | AS4837 CHINA UNICOM China169 Backbone | 173 | 8170, 8171, 8172, 8173, 8174, 8175 |
103.60.165.131 | AS23650 AS Number for CHINANET jiangsu province backbone | 147 | 8160, 8161, 8162, 8163 |
27.159.82.11 | AS4134 No.31,Jin-rong Street | 140 | 8160, 8161, 8162, 8163 |
103.91.208.220 | AS4837 CHINA UNICOM China169 Backbone | 135 | 8160, 8161, 8162, 8163 |
27.159.67.106 | AS4134 No.31,Jin-rong Street | 125 | 8160, 8161, 8162, 8163, 8164, 8165 |
Flow data also revealed multiple connections to what were likely proxy scanners as well as multiple mail servers, specifically for centrum which is a Slovakian news and media company with free-mail services. The volume of mail traffic may be an indicator of a mass mailing campaigns using Centrum addresses and the Mikrotik proxies for sending the emails, see below:
endpoint | asn_ | Proxies connecting | comment |
208.77.20.27 | AS11878 tzulo, inc. | 3898 | proxy scanner |
68.235.38.39 | AS11878 tzulo, inc. | 3724 | proxy scanner |
68.235.38.56 | AS11878 tzulo, inc. | 3241 | proxy scanner |
46.255.231.8 | AS43614 Economia a.s. | 3088 | mail-imap-centrumcz.centrum.cz |
46.255.231.172 | AS43614 Economia a.s. | 3052 | smtp.centrum.sk |
46.255.231.94 | AS43614 Economia a.s. | 2917 | smtp.centrum.sk |
62.149.128.42 | AS31034 Aruba S.p.A. | 2480 | imaps.aruba.it |
46.255.231.95 | AS43614 Economia a.s. | 2402 | smtp.volny.cz |
46.255.231.11 | AS43614 Economia a.s. | 2185 | mail-imap-centrumsk.centrum.cz |
46.255.231.106 | AS43614 Economia a.s. | 1897 | atlas-redir.centrum.cz |
46.255.231.36 | AS43614 Economia a.s. | 1677 | mailxx.centrum.cz |
162.212.152.211 | AS11878 tzulo, inc. | 1519 | proxy scanner |
46.255.231.87 | AS43614 Economia a.s. | 1495 | srch-cz-fe.centrum.cz |
62.149.128.72 | AS31034 Aruba S.p.A. | 1366 | mxd4.aruba.it |
47.88.146.98 | AS45102 Alibaba (China) Technology Co., Ltd. | 1362 | extranet.airasia.com |
46.255.231.9 | AS43614 Economia a.s. | 1350 | mail-imap-volnycz.centrum.cz |
31.13.95.36 | AS32934 Facebook, Inc. | 1309 | |
149.62.168.145 | AS50926 Infortelecom Hosting S.L. | 1306 | pleskl38.axarnet.es |
46.255.231.10 | AS43614 Economia a.s. | 1304 | mail-imap-centrumcz.centrum.cz |
Conclusion
Anonymous proxies are a popular tool for many cybercriminals as they allow for obfuscation of source traffic. The Mikrotik routers supplied by the expanding botnet are ideal candidates for proxies as there is a growing number of them and they are geographically diverse. Mikrotik botnet shows no signs of slowing down, since routers are less likely to be patched on home computers. Users typically need to install router updates and patches manually meaning many of them never receive security patches.
[1] https://www.spamhaus.org/statistics/botnet-asn/
[1] https://blog.radware.com/security/2018/03/mikrotik-routeros-based-botnet/
[2] https://github.com/BigNerd95/Chimay-Red/blob/master/POCs/StackClashMIPS_6384.py
Comments