Almost Half a Million MikroTik Routers Infected by Crypto Mining Malware to Mine Monero (XMR)
The crypto-jacking epidemic continues this week with news that 415,000 routers have been infected with crypto mining malware. The targeted routers were quietly hijacked to mine cryptocurrency without alerting users.
The attack was spotted by security researcher VriesHD and the team at Bad Packets Report, who have been reporting on the issue since August 2018.
Hackers are specifically targeted vulnerable MikroTik routers. The company recently released a patch to solve a well-known security exploit. Customers and ISPs can patch the exploit in minutes. Unfortunately, hundreds of thousands of routers worldwide remain vulnerable. Many users are unaware their routers are compromised. Many ISPs are either unaware or indifferent.
When the attackers gain control of your router using the exploit, they immediately install crypto mining software and then start using your internet connection to mine cryptocurrency.
The string of attacks reportedly began in August 2018, when researchers first noticed that MikroTik routers were being targeted. At that point, 200,000 routers were found to be infected with the crypto-mining malware.
Over the last few months, the number of infected devices has doubled. At last count, there were 415,000 infected routers around the world. Although there are infected devices on every continent, the majority of infected routers are found in Brazil. Other significant concentrations can be found in Southeast Asia and Eastern Europe.
Attackers Use Three Different Security Exploits to Target Vulnerable Routers
This latest cryptojacking attack involves the use of three different security exploits, although more exploits may be identified in the future. As confirmed in a tweet by VriesHD earlier this week,
“Just three different ways to abuse vulnerable Mikrotik routers to try to mine cryptocurrencies. Total combined 415 thousand results. Many more ways active.”
Just three different ways to abuse vulnerable Mikrotik routers to try to mine cryptocurrencies. Total combined 415 thousand results. Many more ways active. pic.twitter.com/u01HEr2UQy
— Kira 2.0 (@VriesHd) December 2, 2018
VriesHD later urged ISPs to take an active stance against the issue and patch vulnerable routers before releasing them to customers. If ISPs continue to release vulnerable routers to unsuspecting customers, it seems likely these attacks will continue.
Attackers Are Using a Mix of Crypto Mining Software
Cryptojacking has been a problem for years. Since 2017, however, attacks have surged worldwide. Attackers initially favored the popular crypto mining software CoinHive, which mined Monero (XMR). Since then, however, attackers have shifted to other mining software, including Omine and CoinImp, although CoinHive is still very popular.
The problem with cryptojacking attacks is that some people use cryptocurrency mining software for legitimate reasons. Some website owners install crypto mining malware as an alternative to traditional advertising systems, for example. This makes it difficult to differentiate malicious mining traffic from legitimate mining traffic.
Download the Latest Router Firmware Upgrade to Protect Yourself
If you own a MikroTik router, then you may be vulnerable to the latest cryptojacking attack. If you haven’t upgraded your router firmware in the last few months, then you should assume your router is vulnerable.
Downloading the latest router firmware upgrade is never a bad idea. Fortunately for MikroTik router owners, that’s the only step you need to take to solve your router firmware issue. Download and install the latest firmware upgrade for your device to fix the security exploit.
Internet Service Providers can also take a proactive stance to defend their users against cryptojacking attacks. ISPs are the biggest distributors of routers, and many customers have no idea how to upgrade their routers. ISPs can take a proactive stance by upgrading routers to the latest firmware before delivering them to the homes of clients.
The patch for this specific cryptojacking exploit has been on the internet for months. With a simple patch, ISPs can remove thousands of infected devices from the list. Unfortunately, some ISPs are either unwilling to prevent the attack or unaware the exploit exists at all.
We recommend downloading the latest version of RouterOS for your MikroTik router from the official website here: https://mikrotik.com/download.