Hybrid Cloud Security
Data Center & Virtualization
Security Fit for DevOps
Solutions for Security Teams
Advanced Threat Protection
Endpoint & Gateway Suites
SaaS Application Security
Endpoint Detection & Response
Point of Sale
All Products and Trials
Centralized Visibility & Investigation
Global Threat Intelligence
Connected Threat Defense
Breaking News & Intelligence
Simply Security Blog
Security Intelligence Blog
UK Security Blog
Education & Certification
Glossary of Terms
Research & Reports
The Deep Web
Internet of Things (IoT)
Zero Day Initiative (ZDI)
Login to Support
Virus & Threat Help
Renewals & Registration
Free Cleanup Tools
Find a Support Partner
Pre-Sales Technical Advice
For popular products:
Find a Partner (Reseller, CSP, MSP)
Become a Partner (Reseller, Integrator)
All Alliance Partners
Customer Success Stories
Corporate Social Responsibility
Diversity & Inclusion
Internet Safety and Cybersecurity Education
Find a Partner
1-877-218-7353(M-F 8-5 CST)
Learn of upcoming events
Social Media Networks
+44 (0) 203 549 3300
Security researchers uncovered a cryptojacking campaign — where attackers hijack systems to conduct cryptocurrency mining — that injects a malicious version of Coinhive, a web-based cryptocurrency miner, by exploiting a vulnerability in MikroTik routers. Here’s what you need to know about this threat:
The initial phase of the cryptojacking campaign reportedly hacked 72,000 MikroTik routers in Brazil. As of this writing, over 200,000 MikroTik routers have already been compromised. While the majority of the routers were in Brazil, researchers also noted that the attacks are now also spreading outside the country.
This indicates that users or organizations using a vulnerable MikroTik router are susceptible to cryptojacking. In fact, researchers saw cases where non-MikroTik routers were also affected, most likely because the internet service providers (ISPs) in Brazil use MikroTik routers in their main networks.
[RELATED: VPNFilter-affected Devices Riddled with 19 Vulnerabilities, Vulnerable to Mirai, Reaper, WannaCry]
The cryptojacking campaign exploits a security flaw in Winbox, a remote management service bundled in MikroTik routers’ operating system, RouterOS. The vulnerability, which doesn’t have the typical CVE identifier, was disclosed in April 2018 and accordingly patched.
Winbox enables users to remotely configure their devices online. Successfully exploiting the vulnerability would let attackers use tools that can connect to the Winbox port (8291) and “request access system user database files.”
[READ: A Look Into the Most Noteworthy Home Network Security Threats]
Successfully exploiting the vulnerability grants the attacker unauthorized admin access to devices, allowing them to inject a malicious version of Coinhive script into every webpage that users visit. The user can still be affected even if connected to the vulnerable router’s wireless network.
Given the heavy performance issues and increased network traffic malicious cryptocurrency mining can cause, the campaign’s operators realized that the attacks drew the attention of ISPs and security researchers and shifted tactics. The malicious Coinhive script is now just injected in error pages returned by the router to keep a low profile.
Researchers also identified a script used for when the attacker finds a new, vulnerable router. The malicious script modifies system settings, enables proxy, schedules tasks to update itself, and creates a backdoor. This was seen as the hacker's attempt to evade detection.
[From TrendLabs Security Intelligence Blog: Cryptocurrency-Mining Malware: 2018’s New Menace?]
The attack is not new. Vulnerabilities in MikroTik RouterOS-based devices were also exploited to add them to a botnet. MikroTik routers were also compromised as part of the Operation Slingshot cyberespionage campaign, which used them to gain a foothold into the systems of their targets of interest. Trend Micro researchers also uncovered Mirai-like activities that scan for vulnerable internet-of-things (IoT) devices such as routers, IP cameras, and digital video recorders (DVRs). Default credentials are then used to try to hijack them.
Given the popularity of cryptocurrency mining, it’s no surprise that threat actors are joining the bandwagon. For instance, a hacking group was found peddling Monero-mining malware that targets IoT devices. It can also steal the victim’s cryptocurrencies by modifying the address/wallet and replacing it with the attacker’s own.
[InfoSec Guide: Mitigating Web Injections that can Be Used in Cryptojacking]
An unsecure router can be a doorway to threats that can hijack systems for cybercriminal gain, and expose personal and mission-critical data to unauthorized access and modification. Here are some best practices:
Like it? Add this infographic to your site:1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.