MicroTik router infections spread, cause surge in CoinHive

Security researchers recently spotted a surge in CoinHive infected MikroTik network devices in Brazil.  

Trustwave security researcher, Simon Kenin, performed a deep-dive analysis and discovered all of the infected devices were traced back to the same CoinHive sitekey and likely the same attacker. The research was published Wednesday on the SpiderLabs blog. 

Another researcher discovered “mass exploitation” of MicroTik routers as posted on Twitter a couple of days before.  

The attacker was likely exploiting an older vulnerability (CVE-2018-14847) that was patched by MikroTik on April 23rd of 2018. 

The vulnerability is related to Winbox for MikroTik RouterOS through 6.42, which can allow a remote attacker to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.

Kenin also said the attacker likely used the device’s functionality to inject the malicious CoinHive script into every webpage that the user visited. The attacker also created a custom error page with the CoinHive script hidden in it and used to mine CoinHive. 

Similar CoinHive activity was later spotted in other regions of the world that could indicate an intended much wider global scale attack.

Unfortunately, there were still hundreds of thousands of unpatched MicroTik routers at the time of the discovery. 

So users and administrators are strongly encouraged to patch their MicroTik routers as soon as possible.