Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)

TL;DR

This study provides a comprehensive long-term analysis of attacks on MikroTik low-cost routers, revealing diverse malicious activities and demonstrating a methodology applicable to other network devices.

Contribution

It extends previous research by deploying a highly interactive honeypot to collect and analyze over 44 million packets, identifying attack patterns and vulnerabilities in MikroTik routers.

Findings

Detection of over 3,000 successful tunnels for eavesdropping

Identification of diverse attack activities including cryptocurrency mining and DNS redirection

Wide geographic distribution of attack sources

Abstract

Attacks targeting network infrastructure devices pose a threat to the security of the internet. An attack targeting such devices can affect an entire autonomous system. In recent years, malware such as VPNFilter, Navidade, and SonarDNS has been used to compromise low-cost routers and commit all sorts of cybercrimes from DDoS attacks to ransomware deployments. Routers of the type concerned are used both to provide last-mile access for home users and to manage interdomain routing (BGP). MikroTik is a particular brand of low-cost router. In our previous research, we found more than 4 million MikroTik routers available on the internet. We have shown that these devices are also popular in Internet Exchange infrastructures. Despite their popularity, these devices are known to have numerous vulnerabilities. In this paper, we extend our previous analysis by presenting a long-term investigation of MikroTik-targeted attacks. By using a highly interactive honeypot that we developed, we collected more than 44 million packets over 120 days, from sensors deployed in Australia, Brazil, China, India, the Netherlands, and the United States. The incoming traffic was classified on the basis of Common Vulnerabilities and Exposures to detect attacks targeting MikroTik devices. That enabled us to identify a wide range of activities on the system, such as cryptocurrency mining, DNS server redirection, and more than 3,000 successfully established tunnels used for eavesdropping. Although this research focuses on Mikrotik devices, both the methodology and the publicly available scripts can be easily applied to any other type of network device.