200K MikroTik Routers Hijacked and Turned Into Crypto-Mining Zombies

Aug 5, 2018, 7:28AM
1 min, 34 sec READ

The infamous Coinhive miner has been abused once again, this time by a cryptojacker who targeted ISP-grade routers. Will this ever end?

A recent tweet from an independent malware investigator reports a "mass exploitation" of MikroTik routers for the purpose of cryptocurrency mining. The attacker hijacked the routers, then injected the code for the Coinhive miner into web pages served by the routers in question.

Attack report

Although Coinhive can be legitimately used, the fact that Coinhive runs on JavaScript and is easy to implement makes it a frequent tool of cryptojackers. Although this is not the first attack of this type, it is one of the most successful. Typically, cryptojacking is performed by spreading viruses, bundling a miner with software, or hacking individual websites. This attack approached things differently. 

Each [MikroTik] device serves at least tens if not hundreds of users daily [...] the attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices. / Simon Kenin

The attack that began in Brazil but has since spread worldwide has affected an estimated 175,000 devices, including people who do not use MikroTik routers, as ISPs have been using the compromised routers.

Previously, the Coinhive team has not taken any action beyond terminating the address used in an attack, meaning that the attacker can simply use another. In fact, a second Coinhive address has already been introduced to attack MikroTik routers, bringing the number of compromised devices up to 200,000.

It’s not clear if this is the same attacker or a copycat, but it seems unlikely that this type of attack will end any time soon. Coinhive mines Monero, which has built-in anonymity and privacy, making it more difficult to trace than Bitcoin and the source of the attacks are rarely found.

Disclaimer: information contained herein is provided without considering your personal circumstances, therefore should not be construed as financial advice, investment recommendation or an offer of, or solicitation for, any transactions in cryptocurrencies.