Friday, November 1, 2024
HomeMalwareHackers Attack Over 200,000 MikroTik Routers & Infected with Mass Coinhive Cryptojacking...

Hackers Attack Over 200,000 MikroTik Routers & Infected with Mass Coinhive Cryptojacking Malware

Published on

Malware protection

Cybercriminals infecting over 1,50,000 MikroTik Routers using Coinhive Cryptojacking Campaign using site key to ultimately mining the cryptocurrency.

Based on the Shodan query returns and the site key that used by an attacker for those devices indicates that it mainly focused on Brazil.

In this case, one of the users from Brazil complains that CoinHive code injects that every page that he visits but he can’t solve it even though changing the DNS and removing the router.

- Advertisement - SIEM as a Service

Also, a Tweet finds in Twitter say that the exploit used against the MikroTik routers that are not a zero day but for a vulnerability patched by MikroTik on April.

https://twitter.com/MalwareHunterBR/status/1023893755974352896

After the patch released by MikroTik, still there are hundreds of thousands of unpatched devices are out there and many of them found in Brazil.

A Researcher from trustwave found that the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.

How does MikroTik Routers Infected

Intially stage of the attack starts with a custom error page that created by attackers and injects the embedded CoinHive script within it.

Criminals utilized the device functionality to injecting the CoinHive content into each page that a visit by users.

When user receiving the error page while web browsing, they will get this custom error page which will mine CoinHive for the attacker.

According to the researcher, The backend Apache server is connected to the router as well, and somewhere along the way there was an error and it was displayed to me, miner included. What this means is that this also impacts users who are not directly connected to the infected router’s network, but also users who visit websites behind these infected routers. In other words, the attack works in both directions.

So whenever user connecting the router using Wireless connection the CoinHive miners starts its execution and mine the cryptocurrency.

Here  mikrotik.php file is unknown and it doesn’t exist in the attacker server, also since the attackers having an extraordinary understanding of the Mikrotik router, It could be the script that injects CoinHive into every HTML page.

Also, it has an ability to change the current site key once the user will replace with another, here attackers perform the scheduled task that downloads and executes a script written for MikroTik routers.

Researchers find the script that attackers used to attack the vulnerable routers and “the script modifies some system settings, enables the proxy, fetches the custom error pages and creates the scheduled tasks for updating if needed. A backdoor account named “ftu” is created as well.”

This coinhive site key finds in over 170,000 MikroTik devices and some time server connected with infected servers also return an error page, another Tweet mention that another 25,000 servers are infected.

https://twitter.com/bad_packets/status/1024963272355676160

This attack warning that the reminder to everyone who has a MikroTik device to patch as soon as possible.

Also Read:

HNS IoT Botnet Scanning & Exploits the Routers to Compromise the Victims Networks

Russia, Routers, and Why Virtually Everyone is part of the DDoS Problem

Cisco Auditing Tool & Cisco Global Exploiter to Exploit 14 Vulnerabilities in Cisco Switches and Routers

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...