Attacks targeting network infrastructure devices pose a threat to the
security of the internet. An attack targeting such devices can affect an entire
autonomous system. In recent years, malware such as VPNFilter, Navidade, and
SonarDNS has been used to compromise low-cost routers and commit all sorts of
cybercrimes from DDoS attacks to ransomware deployments. Routers of the type
concerned are used both to provide last-mile access for home users and to
manage interdomain routing (BGP). MikroTik is a particular brand of low-cost
router. In our previous research, we found more than 4 million MikroTik routers
available on the internet. We have shown that these devices are also popular in
Internet Exchange infrastructures. Despite their popularity, these devices are
known to have numerous vulnerabilities. In this paper, we extend our previous
analysis by presenting a long-term investigation of MikroTik-targeted attacks.
By using a highly interactive honeypot that we developed, we collected more
than 44 million packets over 120 days, from sensors deployed in Australia,
Brazil, China, India, the Netherlands, and the United States. The incoming
traffic was classified on the basis of Common Vulnerabilities and Exposures to
detect attacks targeting MikroTik devices. That enabled us to identify a wide
range of activities on the system, such as cryptocurrency mining, DNS server
redirection, and more than 3,000 successfully established tunnels used for
eavesdropping. Although this research focuses on Mikrotik devices, both the
methodology and the publicly available scripts can be easily applied to any
other type of network device