Compromised MikroTik devices forwarding traffic to attackers

More than 7,500 MikroTik devices have been compromised by an attacker, NetLab researchers claim. The attacker is able to actively eavesdrop on these users, with their TZSP traffic being forwarded to some collecting IP addresses. The vulnerability the attacker exploited is the known Winbox Any Directory File Read CVE-2018-14847 vulnerability, which was exploited to maliciously enable Socks4 proxy on routers. It was patched by MikroTik in early August, but some users missed the update. Researchers claim that 370,000 MikroTik users are still CVE-2018-14847 vulnerable. It is recommended MikroTik users update their devices and check if the HTTP proxy, Socks4 proxy, and network traffic capture function are being maliciously exploited.