Mikrotik routers pwned en masse, send network data to mysterious box
More than 7,500 Mikrotik routers have been compromised with malware that logs and transmits network traffic data to an unknown control server.
This according to researchers from 360 Netlab, who found the routers had all been taken over via an exploit for CVE-2018-14847, a vulnerability first disclosed in the Vault7 data dump of supposed CIA hacking tools.
Since mid-July, Netlab says, attackers have been looking to exploit the flaw and enlist routers to do things like force connected machines to mine cryptocurrency, and, in this case, forward their details on traffic packets to a remote server. “At present, a total of 7,500 MikroTik RouterOS device IPs have been compromised by the attacker and their TZSP traffic is being forwarded to some collecting IP addresses,” the researchers explain.