Researchers at Qihoo 360 Netlab discovered hackers using vulnerable MikroTik routers to hijack TaZmen Sniffer Protocol traffic and send it to domains under their control. What is TZSP traffic and how are attackers gaining control of routers with this MikroTik router hack?
The TaZmen Sniffer Protocol (TZSP) is an open protocol designed to encapsulate other protocols over the User Datagram Protocol (UDP). This encapsulation protocol is used to capture 802.11 wireless packets to support intrusion detection systems, such as Snort; protocol analyzers, such as Wireshark; wireless tracking; and other wireless applications.
UDP is used to deliver data packets faster than could be done with the TCP because it does not guarantee delivery of the packets transmitted, nor does it guarantee that packets will be delivered in the order in which they were sent.
Researchers at the Chinese cybersecurity company Qihoo 360 Netlab reported that more than 7,500 MikroTik routers worldwide were sending their TZSP sniffer traffic to 10 attacker-controlled IP addresses — one address was taken out of service after the initial research was released.
In the MikroTik router hack, attackers were able to modify a device’s packet sniffing setting in order to forward data to the desired locations — the vulnerability in Winbox for MikroTik RouterOS enabled remote attackers to gain control of vulnerable MikroTik routers in Russia, Iran, Brazil, India and Ukraine. During the MikroTik router hack, attackers were able to bypass authentication and reset the devices’ packet sniffing configurations to redirect traffic to specific locations by modifying a request to change one byte related to a session ID.
Security researchers from Qihoo 360 Netlab reported the attackers used TCP ports 20, 21, 25, 110 and 143 to transmit FTP, Simple Mail Transport Protocol, Post Office Protocol 3 and Internet Message Access Protocol traffic in the MikroTik router hack. These ports were targeted by the MikroTik router hack due to the TCP’s packet delivery guarantee; when TCP traffic is disrupted, the processes using TCP are also disrupted.
For the same ports, UDP — which does not guarantee delivery — doesn’t present the same security issues as long as the TZSP protocol data is correctly tunneled over UDP.
For most of the affected routers of the MikroTik router hack, attackers configured a malicious Socks4 proxy to allow access from the 18.104.22.168/25 IP address block. Attackers then set up a task schedule to report the device’s current IP address to a URL and, on Aug. 27, 2018, port 2008 was used to fetch the 22.214.171.124 IP, compromising TCP and UDP ports.
MikroTik has patched the vulnerability in RouterOS versions 6.40.9, 6.42.7 and 6.43 and recommends that users upgrade to the new versions.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)