The hacker group used the infected MikroTik router to capture user traffics

Earlier, Trustwave discovered that Latvia’s router brand MikroTik was used by hacker groups to form botnets due to security breaches. The total number of infected MikroTik routers has exceeded 200,000 units, but in fact, half a year manufacturers have released firmware to fix the vulnerability. Too many users have not yet upgraded to the latest firmware, which makes the hacker network controlled by the hacker group increasingly larger.

Mining has an unexpected situation:

Initially, the hacker group hijacked all access and then loaded online mining code, such as the use of infected MikroTik in the enterprise then all employees were hijacked.

That is, as long as the user visits any website through MikroTik, the mining code will be inserted, which provides the hacker group with a continuous stream of computing power for mining Monero.

But I never imagined that the hacker seemed to have an accident when configuring the mining script. This accident caused the hacker-configured mining script to be unable to connect to the Internet.

This is the case: hackers use CoinHive’s online mining script, but hackers also configure ACL proxy lists on the route for controlling access.

The accident occurred in the ACL proxy list configured by the hacker. Its ACL intercepted the CoinHive code used by the hacker due to configuration errors.

 

Hackers who failed mining failed to monitor users:

According to the latest monitoring data from Qihoo Labs, the hacker group is now starting to configure agents at MikroTik to forward user traffic to their servers.

Image: Qihoo Labs

That is, any data accessed by any user of the user passes through the hacker’s server so that the hacker can see all the private content of all users.

But the specific purpose of this behaviour of hackers is still unclear because monitoring the data of the vast majority of ordinary users do not produce much actual revenue.

MikroTik users, please check the routing proxy settings:

If you are using a MikroTik router, please go to the router management interface to check for updates immediately. If there is a new version, upgrade to the latest version immediately.

At the same time, the user should check whether the proxy settings of the router are standard. Under normal circumstances, the proxy settings should be empty, and there is no configured data.

If a hacker has monitored it, the SOCK4 configuration information will appear in the proxy settings. If you see such information, please clear and save the router and restart the router.