MikroTik routers are in the target by crypto-mining campaign

by Lucia Danes - - 2018-10-19

MikroTik routers abused to mine cryptocurrency

MikroTik router attacks blocked all over the world Cryptocurrency mining activities detected all around the world on exploited routers.

Since April, when Latvian router manufacturer MikroTik patched a CVE-2018-14847 vulnerability,^[1] hackers have been exploiting this flaw to compromise unpatched routers by executing malicious campaigns including crypto-mining URLs. According to Avast reports, more than 420,000 routers have already been exploited for mining cryptocurrency no matter how actively the manufacturer and security experts been encouraging users to download needed updates.^[2]

Being detected as JS:InfectedMikroTik, malware has already been analyzed, and more information about the exploit came to light. The campaign was first spotted back in July. According to experts, the longevity and persistence made this malware difficult to understand at first as it used clever techniques to take control of the computing power and ensure the effectiveness on the affected routers.

To mine cryptocurrency or exploit other functionalities, the malware affects all devices that are connected to the same network, including smart TVs, phones, computers, not the only device. The biggest issue is that there is no possibility to know what else might happen in the background and how the compromised router is misused.

Attacks blocked around the world

The Avast has already presented the top ten of the most popular countries that got affected by JS:InfectedMikroTik malware (the numbers identify the number of affected users):

Brazil – 85 230;
Poland – 43 677;
Indonesia – 27 102;
Argentina – 24 255;
Colombia – 15 300;
Turkey – 15 144;
India – 11 809;
Ukraine – 11 614;
Bangladesh – 9 867;
Venezuela – 9 527.

Unfortunately, CVE-2018-14847 vulnerability is not the first one. On July 31, experts noticed more than 70,000 MikroTik routers in Brazil country acting in the same way. This time, hackers got a chance to read victim's files from a vulnerable device and get unauthorized remote access to the device. However, the main task was to infect these vulnerable routers with the special code injecting the CoinHive in-browser crypto-mining script to generate cryptocurrency.^[3]

Cryptocurrency mining malware on the rise

At the beginning of this year, ransomware^[4] was considered the most popular and the most dangerous virus type. However, during the recent year, cryptominers go neck to neck with crypto-extortionists.^[5] The rise in the popularity and value of cryptocurrency attracted malware developers to design viruses capable of generating Bitcoin, Monero and other cryptocurrencies without a need of installing malware on the system.

The mining activity became more popular because there is no need to contact the victims directly. Criminals can run specific scripts to mine currency using the resources of an infected device. Most probably, routers got into attackers' eye because they can be found in every household or even business. Often, there is a lot of security issues and flaws that people ignore and can be made to make profit silently.

About the author

Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions

References

^ 7,500+ MikroTik routers are forwarding owners' traffic to the attackers, how is yours?. Netlab. Network development group.
^ Threat Intelligence Team. MikroTik mayhem: cryptomining campaign abusing routers. Avast. Blog of Avast experts.
^ Linas Kiguolis. FBI asks to reboot routers in U.S to stop Russian malware attack. 2-spyware. Spyware related news.
^ Rod Walton. North carolina utility hobbled by ransomware attack in wake of Florence. Power-eng. Power generation technology and news.
^ Cryptojacking is taking over Ransomware as the new online threat. Hindustantimes. Breaking news.