Bad Packets Identifies Monero Cryptojacking Malware Inside 200,000 Mikrotik Routers
Monero Mikrotik: Carrier-Grade Crypto Scheme
Mikrotik routers may be vulnerable to a security breach. Hackers are attempting to install and spread cryptojacking software that mines Monero (XMR).
The spread of the security breach is being monitored by a team called Bad Packets. They have been monitoring the breach since it was first reported on August 2, 2018. The vulnerability arises from the management portion of the Mikrotik code, which allows attackers to receive complete access to carrier grade routers in use by companies worldwide. Hackers have also targeted Coinhive cryptominer Mikrotik routers in countries including India, Indonesia, Brazil, and the United States.
The vulnerability leads to the interjection of Coinhave miner into machines that connect to the internet through an affected Mikrotik Router. At this point, many computers are at risk. According to Simon Kenin, a security researcher at Spider Labs:
“Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices.”
The vulnerability differs from the earlier weaknesses reported in March 2018. The earlier one was reported as “VPNFilter” and it allowed attackers to take over Mikrotik routers with the vulnerability. Therefore, the platform patched the vulnerability.
This vulnerability has not received press coverage and worse yet, its implications are far reaching for affected Mikrotik operators. Hackers have gained access to more than 200,000 routers and they are actively injecting them with mining malware, packet analyzers, and more. Further, unlike the VPNFilter loophole, a simple reboot will not remove the attacker from the router.
Those who are affected may want to try to cleanly upgrade the router’s firmware to the latest version 6.43 and to use the most recent Winbox Control Panel 3.18.