- The campaign was first observed in Brazil, but later spread to other countries.
- A zero-day exploit, discovered in the Winbox component of the router, was used to conduct the campaign.
A massive cryptocurrency mining campaign targeting vulnerable MikroTik routers has been discovered by security researchers. The attackers were found leveraging the routers’ settings to inject the infamous in-browser cryptocurrency mining script Coinhive.
The campaign was first observed in Brazil by a researcher named MalwareHunterBR. However, other researchers soon noticed that MikroTik routers all over the world were being targeted as well.
The attackers leveraged a zero-day exploit discovered in the Winbox component of the routers. Although the manufacturing firm had patched the exploit within hours of discovery, the patch has not yet been diligently applied by all router owners.
"To MikroTik's credit, they patched the vulnerability within a day of its discovery, but unfortunately there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,”Trustwave researcher Simon Kenin said in a report.
The proof-of-concept of the poorly patched zero-day exploit is available in a blog post shared by a researcher.
After conducting a thorough analysis of the campaign, the Trustwave researcher concluded that the attackers altered the configurations of over 170,000 MikroTik routers to inject the Coinhive for cryptojacking.
"There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily," said Kenin, highlighting the severity of the attack. "The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end-user computers, they would go straight to the source; carrier-grade router devices,"
MikroTik router users are being urged to update their firmware immediately to stay safe from the cryptojacking campaign.