MikroTik Routers Infected in Mass-Scale Coinhive Cryptojacking Campaign
Skybox Blog Team Aug 21, 2018
A massive cryptojacking campaign that targets MikroTik routers and utilizes Coinhive was initially discovered on July 31 and has infected more than 200,000 routers worldwide.
The Coinhive malware started spreading on routers in Brazil and later targeted MikroTik routers in other countries around the globe.
MikroTik Infection Process and Exploit Method
The infection exploited a vulnerability (CVE-2018-14847) in the Winbox component of targeted devices leading to unauthenticated remote admin access to any vulnerable MikroTik router. The infected routers’ configurations was then changed to inject a copy of the Coinhive malware in-browser cryptocurrency mining script in some parts of users’ web traffic. At first the attacker injected the Coinhive script in all the pages served through the router; later, he became more cautious, and only injected the Coinhive script in error pages returned by the routers.
According to Trustwave’s Simon Kenin, this is a step up in the cryptojacking game:
“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end-user computers, he would go straight to the source: carrier-grade router devices.
There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.
This would result in potentially millions of daily pages for the attacker.”
Who’s Behind the MikroTik Attacks?
It is still unclear who is the threat actor behind this campaign. At first it seemed that it is a single threat actor due to the use of one Coinhive key for all of the Coinhive injections. Shortly after, a second Coinhive key was discovered being injected in the traffic of MikroTik routers. It’s also unclear if this second campaign is being orchestrated by another hacker or by the same threat actor who switched to a new key after Trustwave exposed his first operation.
Anyone using a MikroTik router versions through 6.42 who has not applied the vendor’s fix, is vulnerable to this attack.
While this vulnerability was immediately patched by MikroTik in April this year after its disclosure, many devices were never updated to apply the fix. Users should apply the vendor’s fix to upgrade the device’s firmware to stay safe from this threat.
It is important to note that most routers lack the ability to auto-update, and very few users — especially home users — know how or when to patch the firmware on their router.
It should be noted that there are more than 1.7 million MikroTik routers available online! These routers are at considerable risk of getting infected if they are not patched.
Routing Out Risk
For organizations looking to reduce vulnerability risk, the Skybox Threat-Centric Vulnerability Management (TCVM) approach provides a systematic way to discover, prioritize, remediate and oversee vulnerability management. By correlating vulnerabilities in the organization with intelligence of available exploits, exploits packaged in crimeware and active exploits in the wild, organizations can turn their vulnerability occurrence data into actionable intelligence. This data is further contextualized when analyzed in an attack surface model that determines the vulnerable asset’s exposure within the network.
The TCVM approach aligns remediation priorities with risk to the organization rather than generic severity, focusing action on the small percentage of vulnerabilities most likely to be used in an attack against you.
To learn more about TCVM, check out the e-book.
Cryptominers Surpass Ransomware as Most Widespread Cybercrime Malware: Report shows malicious cryptominers and ransomware trading places in attack popularity between the last half of 2017 and first half of 2018
Cryptominers More Lucrative, Lower Risk Than Ransomware: What is cryptomining? What makes it malicious? And why is it becoming the darling of cybercriminals?