Massive Cryptojacking Campaign: More than 170,000 MikroTik Routers Enslaved

Security researchers uncovered a colossal cryptocurrency mining campaign that involved the utilization of MikroTik routers. The attackers used the settings of the routers in order to leverage the mining script of the Coinhive in-browser cryptocurrency.

MalwareHunerBR, a Brazilian researcher was the first one to discover the attack in Brazil. But, later on, more researchers found that MikroTikrouters all across the world were being targeted by the attackers.

Zero-Day Exploits

A zero-day exploit was utilized by the attackers and it was uncovered within the routers’ Winbox component. Even though the exploit had essentially been patched by the manufacturing company within hours of its discovery, apparently, not all of the router owners have actually applied the patch.

Simon Kenin, a Trustwave researcher stated in his report:

“To MikroTik’s credit, they patched the vulnerability within a day of its discovery, but unfortunately there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone.”

After a meticulous analysis of the cryptojacking campaign was conducted, Kenin came to the conclusion that the attackers had essentially modified more than 170,000 MikroTik routers’ configurations in order to inject the Coinhive.

According to Kenin, hundreds of thousands of MikroTik routes are being utilized all across the globe, and they’re in use by ISPs as well as different companies and organizations.  Every router serves “tens, if not hundreds of users” on a daily basis.

Users of MikroTik routers are currently being advised to immediately update their firmware so they can be safe from these types of cryptojacking attacks.

Comments on this article? Please leave them below:

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients