A massive hacking campaign has been uncovered, compromising tens of thousands of MikroTik routers to embed Coinhive cryptomining scripts in websites using a known vulnerability.
As of Thursday morning, Censys.io has reported more than 170,000 active MikroTik devices infected with the CoinHive site-key used in this campaign (the site-key is the same across infections, indicating a single entity behind the attacks). By the afternoon, an additional 15,000 routers were found to be affected.
The campaign is mainly targeting Brazil – but infections are growing internationally, according to Trustwave’s Secure Web Gateway (SWG) team, indicating much larger ambitions.
“This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible,” Trustwave researcher Simon Kenin wrote a posting today. “This attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale.”
MikroTik routers are used in large enterprises and by ISPs to serve web pages to thousands or more users daily, meaning that each compromise translates into a big payday for the threat actor.
“We’re … talking about potentially millions of daily pages for the attacker,” Kenin wrote. “The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end-user computers, they would go straight to the source: carrier-grade router devices.”
Kenin added that while cryptomining is the primary goal of this wave of attacks, the script has persistence and the flexibility to change and add new features, exacerbating the threat.
A Known Vulnerability
The attacks demonstrate the dangers of neglecting to patch. The campaign is taking advantage of a known vulnerability in the routers, which was patched by MikroTik on April 23rd. A tweet from @MalwareHunterBR revealed the exploit being used, which targets Winbox and allows the attacker to gain unauthenticated remote administrative access to any vulnerable MikroTik router. A Shodan search shows at least 70,000 affected routers in Brazil alone, and tens of thousands more in other geographies.
Whoever’s behind the campaign – so far, an unknown entity – also has some know-how when it comes to this particular router, given that he or she found a new attack vector for the vulnerability.
“Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited,” explained Kenin.
Further, the researcher uncovered that many of the compromised pages are actually error pages of the webproxy, meaning that the attacker created a custom error page with the CoinHive script in it.
“If a user receives an error page of any kind while web browsing, they will get [a] custom error page which will mine CoinHive for the attacker,” Kenin explained. “The backend Apache server is connected to the router as well, and somewhere along the way there was an error and it was displayed to me, miner included. What this means is that this also impacts users who are not directly connected to the infected router’s network, but also users who visit websites behind these infected routers. In other words, the attack works in both directions.”
A Growing Campaign
The Trustwave research shows that the attacker has built mechanisms into the attacks that offer future potential for the existing infections.
Meanwhile, among the commands that are executed when a router is infected is the creation of scheduled tasks for updating if needed. For one, he or she has scheduled a task which connects to another host and fetches a new “error.html” file – likely in the event that the site-key was blocked and had to be replaced with another.
The attacker also scheduled a task which downloads and executes a script written for MikroTik routers named “u113.rsc”. A backdoor account named “ftu” is created as well.
“When we checked, the script was just being used as a placeholder, but it’s clearly a way for the attacker to send additional commands to all compromised devices at their disposal,” Kenin explained, who added that he noticed the script being updated a few times during his investigation. These updates added more cleanup commands to leave a smaller footprint and reduce the risk of being detected.
“MikroTik users need to ensure their RouterOS is up-to-date with the latest security patches,” said Troy Mursch, security researcher at Bad Packets Report, via email. “Otherwise, as we see in this case, they can be compromised to inject cryptojacking malware. As the Censys and Shodan search results reveal, it’s been easy for miscreants to compromise them on a large scale.”
He told Threatpost that carrier-grade routers being attacked is definitely concerning, but that end users still have options.
“Cryptojacking can be stopped in the browser (MinerBlock extension) and blocked at the local firewall (CoinBlockerLists),” he explained. “In regards to CoinHive being injected into HTTP traffic, this is generally avoidable if the requests are made over HTTPS. This is dependent on the website being accessed though. Not every site is using HTTPS, so the user can’t simply force the option.”
This post was updated at 2:10 p.m. on Thursday, to reflect the additional numbers of infected routers that have been found.