MikroTik routers abused by CoinHive code for cryptocurrency mining

MikroTik routers abused by CoinHive code for cryptocurrency mining

Cybercriminals use different methods to achieve their goal of enriching themselves at someone else’s expense. In 2017, they actively employed ransomware. There’re also browser redirect programs, adware and other threats that help them get what they want. Spam is not out of bounds for them either – as a matter of fact, they increased its usage as of late. And there’s also the cryptocurrency mining, which is their new go-to tactic nowadays. The latest chapter in this saga is MikroTik routers and networking devices being attacked in Brazil so that their resources could be turned into profit.

According to Trustwave researcher Simon Kenin, it began on July 31. The CoinHive code was detected as being very active and the massive mining process then was underway. MikroTik is a company that’s located in Latvia and has a large customer base around the world. As was mentioned above, Brazil is the country that has been put under fire this time and the aforementioned CoinHive code has affected all of the devices it targeted. We should point out that in itself, Coinhive is a totally legitimate software which is used by websites to employ the CPU power for a certain period of time and mine cryptocurrency called Monero.

However, it’s not uncommon for con artists to abuse something like this for their personal gain. As a result, many security programs now recognize this script as threatening and don’t allow it to be launched if detected. As far as this particular situation goes, an approximate number of the devices compromised amounts to 175,000. The security researcher Troy Mursch also adds that there’s a second sitekey, which is in use by roughly 25,000 routers. There’re signs pointing to the same person being responsible for both of those sitekeys, so the total estimated amount is around 200,000 devices.

The link between the Coinhive’s spike in activity and MikroTik wasn’t easy to find and it took some time before it was. However, two clues were eventually discovered that have helped make that connection. The compromised MikroTik router was traced back to a Brazilian hospital and a person has also posted about experiencing the similar problem on Reddit at around the same time. That user said that every visited site injected the Coinhive code and changing the DNS, as well as removing the router didn’t solve the issue.

Per Troy Mursch, “at this point, it’s worth noting that MikroTik routers are used by Internet providers and big organizations, and in this case, it seems that the Reddit post’s author’s ISP had their router compromised, same as the router of the hospital I mentioned earlier in the post” (referring to his blog post on the matter). MalwareHunter have also tweeted out a message mentioning MikroTik devices being massively abused. And this wasn’t an event that happened by chance – a known security bug CVE-2018-14847, which affects Winbox for MikroTik RouterOS, is to blame for that. Through version 6.42 of the software, remote attackers are able to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID, according to the vulnerability description.

To their credit, MikroTik did patch that bug and did so within a day of discovery, dating back to April. However, lots of the sold devices haven’t been updated by system administrators and that gave cybercriminal(s) a perfect opportunity to strike. The Coinhive script was made a part of every site that the users of the affected devices went to and nothing stopped the mining process from commencing after that. Simon Kenin adds that “the attacker is clearly showing a high level of understanding of how these MikroTik routers work.”

He also says that the exploit script used here allows the attacker(s) to gain administrator access over the targeted routers and install a custom page that loads up whenever there’s an error. The page contains the code that makes it possible to use the device’s resources to mine cryptocurrency and then transfer it to a required address. Even though Brazil was the country that suffered the most because of this, there were several attacks in other places, albeit on a lesser scale.

This is another reminder of how important it is to always have the latest security updates installed. If they aren’t, the door is pretty much open for con artists to break in and they aren’t likely to pass an opportunity to make extra money. The Mirai IoT botnet is one of the examples of that – it was able to abuse consumer home devices that were unprotected and the consequences of this were terrible. The further the viruses are kept away from the devices, the better. The key to that is caution and careful attention to security – essential safety measures.


Please enter your comment!
Please enter your name here