Coinhive Malware Affects 200K MikroTik Router Users

Security analysts as of late identified a sequence of cryptomining intrusions, which at first invaded countless number of users in Brazil to establish a mushrooming mining botnet by injecting insecure devices with malware.

As indicated by reports, the gadgets targeted for the intrusions were MikroTik switches which had an obsolete programming patch. In April 2018, the organization fixed a remote contact vulnerability, which enabled hackers to obtain unauthenticated control over MikroTik switches.

Back then, a proof-of-concept detailing how the vulnerability can be exploited to access the MikroTik devices was released by security analysts who studied the patch. The hackers had used the information to inject the routers with malware that deploys the Coinhive browser-based cryptocurrency mining software.

The deployment begins when users access the World Wide Web through the MikroTik proxy after encountering a HTTP error. The web pages accessed by users are injected with Coinhive’s Javascript. The users’ system is then used to mine Monero without their knowledge.

Cryptojacking – a global threat

So far, researchers have identified at least three cryptojacking incidents. As many as 183,700 users of MikroTik routers were affected in Brazil.

The other two attacks involving MikroTik routers affected 16,000 and 25,000 users respectively. Most of the affected users were residents of Moldova. The incident was discovered by another researcher.

The identified incidents signaled that the cryptojacking plot is not restricted to a particular geographical region. This is a cause of worry to analysts and researchers across the globe. There has been a drastic rise in cryptojacking cases in the past few years. Cryptojacking is turning out to be one of the dominant cybersecurity threats around the world. Even Linux based systems, which are traditionally considered to be safe, are unable to escape from the mining malware.

Analysts have advised users of MikroTik device to apply the patch and reset their passwords.