Over 200,000 MikroTik Routers Compromised in Cryptojacking Campaign

Security researchers uncovered a cryptojacking campaign — where attackers hijack systems to conduct cryptocurrency mining — that injects a malicious version of Coinhive, a web-based cryptocurrency miner, by exploiting a vulnerability in MikroTik routers. Here’s what you need to know about this threat:

What happened?

The initial phase of the cryptojacking campaign reportedly hacked 72,000 MikroTik routers in Brazil. As of this writing, over 200,000 MikroTik routers have already been compromised. While the majority of the routers were in Brazil, researchers also noted that the attacks are now also spreading outside the country.

This indicates that users or organizations using a vulnerable MikroTik router are susceptible to cryptojacking. In fact, researchers saw cases where non-MikroTik routers were also affected, most likely because the internet service providers (ISPs) in Brazil use MikroTik routers in their main networks.

[RELATED: VPNFilter-affected Devices Riddled with 19 Vulnerabilities, Vulnerable to Mirai, Reaper, WannaCry]

What vulnerability did this cryptojacking campaign exploit?

The cryptojacking campaign exploits a security flaw in Winbox, a remote management service bundled in MikroTik routers’ operating system, RouterOS. The vulnerability, which doesn’t have the typical CVE identifier, was disclosed in April 2018 and accordingly patched.

Winbox enables users to remotely configure their devices online. Successfully exploiting the vulnerability would let attackers use tools that can connect to the Winbox port (8291) and “request access system user database files.”

[READ: A Look Into the Most Noteworthy Home Network Security Threats]

How does the cryptojacking attack work?

Successfully exploiting the vulnerability grants the attacker unauthorized admin access to devices, allowing them to inject a malicious version of Coinhive script into every webpage that users visit. The user can still be affected even if connected to the vulnerable router’s wireless network.

Given the heavy performance issues and increased network traffic malicious cryptocurrency mining can cause, the campaign’s operators realized that the attacks drew the attention of ISPs and security researchers and shifted tactics. The malicious Coinhive script is now just injected in error pages returned by the router to keep a low profile.

Researchers also identified a script used for when the attacker finds a new, vulnerable router. The malicious script modifies system settings, enables proxy, schedules tasks to update itself, and creates a backdoor. This was seen as the hacker's attempt to evade detection.

[From TrendLabs Security Intelligence Blog: Cryptocurrency-Mining Malware: 2018’s New Menace?]

Is this a new cryptojacking method?

The attack is not new. Vulnerabilities in MikroTik RouterOS-based devices were also exploited to add them to a botnet. MikroTik routers were also compromised as part of the Operation Slingshot cyberespionage campaign, which used them to gain a foothold into the systems of their targets of interest. Trend Micro researchers also uncovered Mirai-like activities that scan for vulnerable internet-of-things (IoT) devices such as routers, IP cameras, and digital video recorders (DVRs). Default credentials are then used to try to hijack them.

Given the popularity of cryptocurrency mining, it’s no surprise that threat actors are joining the bandwagon. For instance, a hacking group was found peddling Monero-mining malware that targets IoT devices. It can also steal the victim’s cryptocurrencies by modifying the address/wallet and replacing it with the attacker’s own.

[InfoSec Guide: Mitigating Web Injections that can Be Used in Cryptojacking]

How can this threat be thwarted?

An unsecure router can be a doorway to threats that can hijack systems for cybercriminal gain, and expose personal and mission-critical data to unauthorized access and modification. Here are some best practices:

Keep the router and connected devices patched.

Disable or restrict outdated plug-ins, extensions or other software components that can be used as entry points.

Use multifactor authentication and strengthen or update the device’s default credentials.

Enable security mechanisms such as firewalls.

For enterprises, actively monitor systems and networks for anomalous activities, add security in all layers of the organization’s online premises, and employ countermeasures (e.g., using more secure communication protocols such as HTTPS in site administration).