Cyber law-breakers are up for some more mining of crypto-currency, which is why around 200,000 plus, MikroTik Routers were infected by using a site key under the CoinHive crypto-jacking campaign. This campaign was, in its initial phases, majorly functioning in parts of Brazil, only to span up, to the entire world, later.
These routers are targeted so that their configuration could be changed and a replica of the CoinHive in-browser crypto-currency mining script could be placed in the user’s web traffic. There are, supposedly, at the least, three malware behind the exploitation of the mentioned routers.
The exploiting was done to a recognized vulnerability in the Winbox component of MikroTik, which was uncovered earlier, in April 2018. However, the vulnerability was patched in a day or two that followed. Nevertheless, due to the shortcoming, an attacker could gain unlawful and administrative access to the infected router.
According to a Brazilian user, every webpage that was being opened through the infected router was being injected by the CoinHive code. The first attacks were discovered by a Brazilian researcher, but with the increasing number of the infected routers, Simon Kenin, a security researcher at Trustwave’s SpiderLabs division, paid attention to the matter.
MikroTik devices, exceeding the number of 170,000 were detected with the CoinHive site key.
The procedure of infection was such, that at the outset, a custom error page was being created and the embedded CoinHive script was being injected in that page. This custom error page would then, begin CoinHive Mining. By means of a wireless connection with the infected router, CoinHive miner executed the mining of the crypto-currency.
The attackers are said to have an astonishing knowledge of the MikroTik routers. The script that was used had the ability to convert the present site key and convert it into another. The script could also modify some system settings, enable the proxy, fetch the custom error pages and create the scheduled tasks for updating. A backdoor account of the name “ftu” is generated as well.
This isn’t the first time the MikroTik routers were targeted. If or not it’s the last time, is a question to be answered by the times to come.