MikroTik Routers infected in Cryptojacking Campaign

Currently been exploited in mainly Brazil is a massive cryptojacking campaign infecting MikroTik routers. Central to the campaign is the hacker’s use of the now infamous Coinhive in-browser cryptocurrency miner. Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. Hackers do this by either getting the victim to click on a malicious link in an email that loads crypto mining code on the computer or in this case a router. The crypto mining code then works in the background as unsuspecting victims use their computers normally. The only sign they might notice is slower performance or lags in execution that may not have been experienced previously.

New Campaign

The first detections of the campaign were done by a security researcher based in Brazil who goes by the name MalwareHunterBR. The announcement was made via the researchers Twitter account. In the campaign's first stages infections appeared limited to Brazil, however, as the number of infections grew is was quickly seen that MikroTik routers were been infected across the globe. As the number of infections rose steadily researchers based at Trustwave’s SpiderLabs division began investigating the campaign.

mikrotik coinhive cryptojacking campaign

According to the report published by Trustwave, in the first stages of the attack 72,000 routers were infected in Brazil alone. That number has now shot to over 170,000. It is possible that the campaign will not stop there either. A quick search on Shodan showed that there are over 1.7 million MikroTik routers visible online. Researchers at Trustwave believe that the hacker, or group behind the campaign, utilized a zero-day vulnerability that was announced in April 2018. A zero-day vulnerability is an attack that exploits a previously unknown security vulnerability. Sometimes it may be referred to as a zero-day attack when that vulnerability is exploited on the same day that the vulnerability becomes generally known.

The MikroTik Zero-Day

The zero-day was found affecting the Winbox component of MikroTik routers. MikroTik responded in near record time and patched the vulnerability in little under a day. While MikroTik should be rightly praised for their response, users and router owners it would appear had not bothered to update their routers. Soon after the vulnerability was announced and subsequently patched security researchers began dissecting the vulnerability. Researchers at the   BASU CERT reverse engineering lab published an incredibly comprehensive dissection with a proof of concept code. Soon after that others began publishing proof of concept code of the repository GitHub.

According to researchers at Trustwave the hacker in all likelihood used one of those proof of concepts to firstly alter traffic passing through the MikroTik router and, secondly, to inject a copy of the Coinhive library inside all the pages served through the router. It would also appear that only one hacker, or group of hackers, is currently exploiting the flaw to mine cryptocurrency. This can be safely assumed as only one Coinhive key for all the Coinhive injections performed during the past week was used. The method of attack used by the hacker is novel in the sense that the injection worked both ways and not just for traffic going to the user. That means that if a website was hosted on a local network behind an affected MikroTik router, traffic to that website would also be injected with the Coinhive library.

It was this novel attack method which also enabled the hacker to infect non-MikroTik routers. Researchers noticed in some of the detections that non-MikroTik users were also impacted. The reason for this is that some Brazilian ISPs were using MikroTik routers for their main network. Hence the attacker managed to inject the malicious Coinhive code in a massive amount of web traffic.

Downsize in Operations

Injecting malicious code into massive amounts of traffic is incredibly noisy and will make detection far easier. Once a user sees that there is an issue they will move to correct it and then cryptocurrency can no longer be mined. The hacker seems to understand this and not wishing to interrupt his revenue stream or be caught, has downsized the operation. The downsizing has not happened in a manner one might expect in preventing further infections or reducing the rate of infection. Rather, the hacker only injected the Coinhive script in error pages returned by the routers. This has the practical effect of drastically reducing the instances of injection and making the campaign far less noisy.

By doing this the amount of cryptocurrency mined over a specific time frame is reduced significantly. However, the hacker has shown an impressive amount of cunning in that although the instances of injection decreases, the hacker can look to infect more routers. This has the advantage of remaining undetected while been able to exponentially increase infections. Obviously, the hacker knows this and new cases are been detected outside of Brazil. Added to this as was mentioned above there are roughly 1.7 million MikroTikMikroTik routers around the globe, meaning he has exploited only a tenth of the total attack surface available.

Simon Kenin, one of the lead researchers at Trustwave, summarised the campaign well by saying:

“Let me emphasize how bad this attack is. There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end-user computers, they would go straight to the source; carrier-grade router devices. Even if this attack only works on pages that return errors, we're still talking about potentially millions of daily pages for the attacker.”

Yet another reminder as to why software and hardware should be kept up to date.