According to a blogpost published on Aug 1, 2018, 200,000 routers in Brazil were compromised to deliver Cryptocurrency mining scripts to mine Monero (XMR) cryptocurrency. Hackers compromised the vulnerable MikroTik routers by injecting CoinHive scripts into the routers web pages in order to carry out the mass Cryptocurrency miner attack. The IDS/IPS research team at Quick Heal Security Labs was observing the attack and soon started digging into the telemetry to find out the traces of the attack. The data mining effort landed us on traces of the attack observed at our customers which were completely blocked by Quick Heal’s IDS/IPS solution.
The telemetry data recorded the hits for IDS/IPS signatures from the period July 30, 2018, to Aug 4, 2018. We did not see hits after Aug 4, 2018. We believe the infected routers were cleaned up and patched against the vulnerability which led to the attack.
The compromised URLs accessed were having a typical structure like this:
http://<Router IP Address>/<Random String>.php
The sample URL set received in telemetry looks like below.
At the time of the analysis, the compromised pages did not deliver the Cryptocurrency miner code as most of them were down. A typical injected CoinHive JavaScript looks like the below:
To know more about how CoinHive cryptocurrency works read this blogpost.
The fingerprint of one the router is shown below which clearly indicates the device being of MikroTik.
The most affected country was Brazil followed by Russia. We also saw countries like Vietnam, the Republic of Moldova and the United States being affected.
This shows the intensity of the mass router compromise which in turn would have affected many users. This also shows the importance of patching the well-known vulnerabilities. There is a challenge to update the routers or IoT devices but we strongly recommend to get familiar with the upgrade process for various IoT devices and regularly update them with the latest patches. Even though the MikroTik had issued a patch against this vulnerability in April 2018, the affected devices were not patched which led to this massive router compromise. To defend against such attacks, it’s really important to patch all sorts of devices.
Quick Heal IDS/IPS Detection
- HTTP/CoinhiveMiner.UN!KP.4461 – Coinhive miner requests
Source: QuickHeal Feeds