Over the last two months, the Bad Packets LLC team has been monitoring over 80 unique cryptojacking campaigns targeting vulnerable MikroTik routers. The latest statistics available from Censys and Shodan confirm hundreds of thousands devices remain compromised.

These MikroTik routers are being compromised by miscreants exploiting CVE-2018-14847, a critical vulnerability that affects all versions of RouterOS through 6.42. A patch was issued earlier this year by MikroTik, however the latest statistics (above) reveal device owners and network operators have chosen not to apply it.

Ali Mosajjal provides an excellent discussion of this vulnerability and how it’s exploited here. Another post, by Simon Kenin, explains how the first cryptojacking campaigns targeted over a 170,000 MikroTik routers in Brazil alone. Kenin described it best when he stated:

“Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices.’

Despite the warnings from Mosajjal and Kenin, numerous MikroTik routers worldwide remain compromised. Looking strictly at Coinhive infections alone, we clearly see the unfortunate truth.

Looking for compromised #MikroTik routers worldwide?

They're easy to locate with these Censys and Shodan queries. Censys: 178,380 hosts found — https://t.co/1CJ9bk2HIz

Shodan: 179,143 hosts found — https://t.co/kmiNuxK0Ee pic.twitter.com/91R4J4Xryn — Bad Packets Report (@bad_packets) September 27, 2018

However, Coinhive isn’t the only type of cryptojacking malware being injected via these compromised routers. Looking at all the campaigns noted in the MikroTik Cryptojacking Campaigns spreadsheet, we find some interesting contenders.

While Coinhive is used in the vast majority of cryptojacking campaigns, it is not used by the largest campaign. Instead, CoinImp is used in a campaign consisting of 115,000 MikroTik routers, per the latest Censys results. A large share of compromised devices are found on the network of two service providers in Iran, AS59566 and AS56616.

In this campaign, CoinImp is injected via https://srcip[.]com/src.js which embeds an iframe pointing to https://srcip[.]com/js.html which contains the cryptocurrency mining JavaScript code.

Twitter user @VriesHd raises a good point that despite clear evidence, no AV company has flagged the domain or URL as malicious. Fortunately, users of the CoinBlockerLists are protected as all domains mentioned in this post and the IOC spreadsheet are included.

Here's something I can't understand; A single cryptojacking campaign targeting Mikrotik routers is allowed to infect 100.000+ routers worldwide, yet barely any AV-company seems to care about the domain, the files or the infections. No blogs. Nothing. srcip[.]com is free to go…. pic.twitter.com/LVc8j2bEMr — Kira 2.0 (@VriesHd) September 18, 2018

Another cryptojacking campaign seemingly running rampant was discovered earlier in September.

In this case, the cryptojacking malware appears to be injecting MinerAlt, a service that mines CryptoNight coins (Monero, Electroneum, etc.) while taking 30% of the revenue of their users. Unlike Coinhive, the websocket traffic is not in plain text (shown in tweet above).

Infected routers in this campaign are configured to throttle the CPU usage of the victims’ devices in a likely attempt to reduce detection. In the example shown below, the amount of CPU power used for mining cryptocurrency is roughly 80%.

United States cryptojacking campaigns

Looking specifically at compromised MikroTik routers in the United States, a few troubling cryptojacking campaigns were found. On August 25, nearly 3,000 compromised routers with IP addresses assigned to Cogent Communications were located on Censys.

Almost a month later, another surprising cryptojacking campaign was discovered. This new campaign included over 600 MikroTik routers on the network of Douglas County Public Utility District in north central Washington state. Their network, AS27373, has been allocated 1,792 IPv4 addresses and the latest Censys results show 703 IPs consisting solely of MikroTik routers. In other words, 39% of the IPs they manage route to a compromised device.

Upon reviewing these findings, I notified US-CERT (NCCIC) in addition to other members of federal law enforcement as these routers on the network of a public energy co-operative. While I never received confirmation that an NCCIC incident number was assigned, I was told by the NCCIC to continue to send in similar reports in the future.

It’s alarming to see so many devices on a public utilities’ network compromised, so I hope the NCCIC is able provide them with guidance and/or assistance with the remediation process.

In less than 9 hours, the total found on Censys for the US has increased to 7,765. The network with the largest share of compromised MikroTik routers is AS18771 (Agavue LLC aka Cibola Wireless). This provider is a WISP in Albuquerque, NM. https://t.co/oQx6UMEiFD — Bad Packets Report (@bad_packets) September 28, 2018

The latest results found on Censys indicate cryptojacking campaigns targeting vulnerable MikroTik routers in the United States is not slowing down. Many Wireless Internet Service Providers (WISPs) appear to affected as numerous compromised devices can be found on their networks.

IOCs

Instead of listing each IOC here, I have placed them in the MikroTik cryptojacking campaigns spreadsheet that lists each site key used for every campaign and includes notes on how the malware is injected.

Thanks to Censys for providing me with the API credits needed to keep this list frequently updated.

Closing remarks

As I recently told Threatpost, scraping for pennies with Coinhive is not the worst-case scenario that miscreants can do with these compromised MikroTik routers. The report published by Netlab 360 illustrated how they can used for much more nefarious purposes such as eavesdropping all traffic passing through them.

MikroTik users need to ensure they’re running the latest version of RouterOS which has patched CVE-2018-14847. Anyone using version 6.42 or older should apply the update ASAP, available here.

If you’d like to learn more about my work and what others are saying about it, please view my references page. I’ve also coauthored a peer-reviewed research paper, A first look at browser-based cryptojacking.

As always, I’m most active on Twitter — please follow @bad_packets for the latest updates.

Author’s note

The statistics shared in this post were accurate as of September 28, 2018. Since then, the amount of compromised MikroTik routers worldwide has greatly increased. The latest totals reveal over 400,000 have been hacked by miscreants.

421,073 compromised MikroTik routers found on @censysio. Active #cryptojacking campaigns (unique IOCs): 106

Coinhive: 77

CoinImp: 9

WebMinePool: 6

OMINE (XMR pool): 3

All others: 11 Spreadsheet with lookup URLs:https://t.co/iL8uVgPQJ7 pic.twitter.com/vNngZV6nFf — Bad Packets Report (@bad_packets) October 11, 2018