News

Cryptocurrency Malware Infects Over 200,000 Mikrotik Routers

Nigel Gambanga · @nigelrtg | Aug 07, 2018 | 00:00

---

A cryptojacking campaign has affected over 200,000 routers made by Mikrotik, the Latvian networking company. 

A Months-Old Vulnerability Exploited

Security researchers recently mapped a series of cryptomining attacks, which initially attacked a large number of users in Brazil to create a growing mining botnet by infecting compromised devices with malware.

According to reports, the devices targetted for the attack were Mikrotik routers which had an outdated software patch.

In April 2018, the company patched a remote access vulnerability which allowed attackers to remotely gain unauthenticated administrative access to the Mikrotik routers.

Some security researchers who reverse engineered Mikrotik’s patch then published a proof-of-concept exploit explaining how to use the recovered vulnerability to access Mikrotik devices.

This information was used to infect the routers with code that loads the CoinHive browser-based cryptomining software.

This happens whenever users accessing the internet through the routers encounter an HTTP error and they are browsing via the Mikrotik proxy.

Coinhive’s Javascript is injected into web pages accessed by users on a compromised router. The users then mine Monero for the attackers without any knowledge.

A Cryptojacking Threat That’s a Global Threat

There have been at least three cryptojacking attacks from this vulnerability that have been noted by researchers so far. The first was recorded in Brazil and it reportedly affected more than 183,700 MikroTik routers.

Two other attacks that affected 16,000 and 25,000 MikroTik routers respectively mainly in Moldova were also recorded by another security researcher.

This indicates that this campaign that isn’t limited to one specific geographic region, which has worried analysts and researchers amid an overall growing trend.

Cryptojacking cases have exploded over the past couple of years and are emerging as one of the primary cybersecurity threats around the world, with cases on the rise even for traditionally safer operating security systems like Linux.

As is always the case around cybersecurity, users are being urged to be vigilant especially when accessing public networks. Analysts in the cybersecurity space have also been very clear; If you have a Mikrotik device apply a patch immediately and update any passwords.

Have you been a victim of the MikroTik router attack or any other cryptocurrency mining hack? Share your experiences in the comments below.

Images courtesy of Mikrotik.com, Shutterstock