Four months after a security patch for MikroTik routers was released, some of the users of the devices who ignored fixing the vulnerability have now been turned into unwitting miners of Monero.
Known as CVE-2018-14847 the security flaw in MikroTik routers is being exploited with a view of installing the Coinhive cryptocurrency mining script in websites that users of the devices visit. According to cybersecurity researchers at SpiderLabs, tens of thousands of unpatched routers in Brazil were initially affected though the number is rapidly rising and spreading across the globe.
The vulnerability in the MikroTik Ethernet and Wi-Fi routers allows the bypassing of authentication by remote attackers who are then able to read and modify arbitrary files. It was discovered in April this year and the router manufacturer issued a patch shortly after.
Initially, the first Coinhive site key was found to have been used on 175,000 routers mainly in Brazil but a new key of the same mining script was injected in the routers and has so far affected an additional 25,000 routers in the eastern European country of Moldova, according to security researcher Troy Mursch. It is not clear whether it is the same attacker responsible for the newest phase of the attack or a copycat.
Originally, the Coinhive scripts were being injected into all the web pages visited by a user. However, in a bid to reduce the chances of detection the attacker turned to only installing the cryptocurrency mining scripts in custom error pages. Other techniques being used by the attacker to avoid detection include issuing cleanup commands after compromising routers in order to leave as small a footprint as possible.
Though the cryptojacking campaign is mainly targeting Brazil, it is also spreading across the globe with the potential to compromise many more MikroTik routers. It is estimated that a significant number of MikroTik routers around the world have not been patched four months after the security fix was released.
“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” Simon Kenin, a security researcher at SpiderLabs, wrote in a blog post.
Additionally, the attack works both ways. Since it is aimed at vulnerable MikroTik routers it also affects websites hosted on servers using compromised devices and will thus users who are not directly connected to the infected devices from any geo-location are also vulnerable.
“As mentioned, servers that are connected to infected routers would also, in some cases, return an error page with Coinhive to users that are visiting those servers, no matter where on the internet they are visiting from,” notes Kenin.
Featured image from Shutterstock.
Last modified: May 20, 2020 6:09 PM UTC