MikroTik Routers Exploited in Massive Crypto-Mining Campaign

Attackers managed to infect tens of thousands of MikroTik network routers in Brazil with code that injects the CoinHive in-browser crypto-mining script into web traffic.

The attack emerged on July 31, when more than 70,000 MikroTik devices in the country started displaying the same behavior. With all using the same CoinHive site-key, it became apparent that a single actor was behind the attack.

No zero-day was used in this massive attack, as MikroTik, a Latvian router manufacturer, patched the targeted vulnerability back in April 2018. The issue, however, is that the vulnerable devices haven’t been updated in a timely manner.

At the moment, there are “hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,” Trustwave’s Simon Kenin, the researcher who analyzed the attack, reveals.

The employed exploit provides the attacker with the ability to read files from a vulnerable MikroTik router and get unauthenticated remote admin access to the device.

As part of this attack, however, the actor didn’t run a malicious executable on the router, but leveraged the device’s functionality to inject the CoinHive script into every web page the user visited.

For that, the attacker created a custom error page with the CoinHive script in it, which resulted in the user landing on that page when encountering any kind of error page while browsing. The attack works in both directions, meaning that users who visit websites behind those infected routers are impacted as well.

Initially, users would encounter the CoinHive script on every visited page, likely because the attacker, who appears to have high understanding of how the MikroTik routers work, might have built code to inject the script in every page.

In addition to modifying the device’s settings to serve the crypto-mining error page, the attacker also created a backdoor on the compromised devices. Kenin also noticed that the script has been updated several times during his investigation.  

“The attacker seems to be adding more cleanup commands to leave a smaller footprint and reduce risk of being detected,” the researcher notes.

Kenin also noticed that, although the attack was initially focused on Brazil, MikroTik devices in other countries started being infected as well. In fact, he eventually discovered that over 170,000 routers globally appeared to have the CoinHive site-key.

By targeting MikroTik’s vulnerable carrier-grade router devices, the attackers ensured a broad reach: impacted are not only users behind the routers, but also the visitors of any website hosted behind such a router.

“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” Kenin points out.

While the routers were exploited to deliver a crypto-mining payload, the devices coudl have been exploited for other objectives, Sean Newman, Director Product Management at Corero Network Security, sold SecurityWeek. "From a DDoS perspective, the scale of processing power available in such devices could easily be leveraged for a single attack which could extend to tens of terabits per second, or many smaller attacks if they were used as part of a DDoS for hire service," Newman said.

Related: Remotely Exploitable Vulnerability Discovered in MikroTik's RouterOS

Related: Sophisticated Cyberspies Target Middle East, Africa via Routers

Original author: Ionut Arghire