Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally
A massive hacking campaign has been uncovered, compromising tens of thousands of MikroTik routers to embed Coinhive cryptomining scripts in websites using a known vulnerability.
As of Thursday morning, Censys.io has reported more than 170,000 active MikroTik devices infected with the CoinHive site-key used in this campaign (the site-key is the same across infections, indicating a single entity behind the attacks). By the afternoon, an additional 15,000 routers were found to be affected.
The campaign is mainly targeting Brazil – but infections are growing internationally, according to Trustwave’s Secure Web Gateway (SWG) team, indicating much larger ambitions.
“This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible,” Trustwave researcher Simon Kenin wrote a posting today. “This attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale.”
MikroTik routers are used in large enterprises and by ISPs to serve web pages to thousands or more users daily, meaning that each compromise translates into a big payday for the threat actor.
“We’re … talking about potentially millions of daily pages for the attacker,” Kenin wrote. “The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end-user computers, they would go straight to the source: carrier-grade router devices.”
Kenin added that while cryptomining is the primary goal of this wave of attacks, the script has persistence and the flexibility to change and add new features, exacerbating the threat.
A Known Vulnerability
The attacks demonstrate the dangers of neglecting to patch. The campaign is taking advantage of a known vulnerability in the routers, which was patched by MikroTik on April 23rd. A tweet from @MalwareHunterBR revealed the exploit being used, which targets Winbox and allows the attacker to gain unauthenticated remote administrative access to any vulnerable MikroTik router. A Shodan search shows at least 70,000 affected routers in Brazil alone, and tens of thousands more in other geographies.
Whoever’s behind the campaign – so far, an unknown entity – also has some know-how when it comes to this particular router, given that he or she found a new attack vector for the vulnerability.
“Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited,” explained Kenin.
Further, the researcher uncovered that many of the compromised pages are actually error pages of the webproxy, meaning that the attacker created a custom error page with the CoinHive script in it.
“If a user receives an error page of any kind while web browsing, they will get [a] custom error page which will mine CoinHive for the attacker,” Kenin explained. “The backend Apache server is connected to the router as well, and somewhere along the way there was an error and it was displayed to me, miner included. What this means is that this also impacts users who are not directly connected to the infected router’s network, but also users who visit websites behind these infected routers. In other words, the attack works in both directions.”
Source | threatpost