A known vulnerability in MikroTik routers has allowed hackers to launch a massive cryptomining attack in Brazil. The attack was noticed by Simon Kenin, Security Researcher at Trustwave. Kenin saw a significant spike in the use of CoinHive in Brazil. CoinHive is used to mine the Monero cryptocurrency.
All of the attacks appeared to be coming from MikroTik routers. Kenin used Shodan to search for MikroTik routers and CoinHive in Brazil. To his surprise, it returned over 70,000 devices. This is not a random attack. A further investigation revealed that all the devices were using the same CoinHive sitekey. What this means is that all the cryptocurrency mined is going into a single account.
How were the MikroTik routers infected?
Kenin investigated the possibility that this was a new attack against MikroTik using a zero-day exploit. That led nowhere. A tweet from @MalwareHunterBR provide to be the key to unlocking this attack.
The attackers are using a known vulnerability. MikroTik is aware of it and issued a patch on April 23 to fix it. Like many patches, however, this one has been widely ignored. Kenin writes: “Unfortunately there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone.”
The exploit allows an attacker to gain unauthenticated remote admin access to MikroTik routers. The original vulnerability saw attackers run a malicious executable on the router itself. In this attack Kenin reports that the attackers has: “used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.”
Kenin discovered a number of scripts that maximised the effectiveness of the attack. These include:
- A custom error page with the CoinHive script in it. Every time a user gets an error while browsing, the CoinHive script runs.
- The attack also impacts visitors to the websites not just those behind the MikroTik routers.
- An MikroTik.php file that injects CoinHive into every html page.
Kenin is unsure how the latter works as the file has since been removed from the attackers server. He also identified alternative scripts that would run if CoinHive blocked the original sitekey. The attacker also installed a script called “u113.src” on the routers. This, Kenin believes, will allow the hackers to download other commands and code later.
What does this mean
As Kenin points out: “The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices.
“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.”
This is not a case of inept users failing to keep their devices up to date. This is an attack against enterprises and carriers. This means that the potential for this attack is significant.
What it highlights is that vendors also need to do more to maintain devices. In this case, MikroTik needs a mechanism to force updates where an attack is critical. Alternatively, it needs to be able to alert users to the risk of not applying the latest patches. Otherwise, attacks against Brazil today will spill over into much larger markets later.
Note: We emailed CoinHive to ask if they have blocked the sitekey being used. So far, no response and no update from Kenin to say he has seen this happen. We will update this article if we hear more.