Over 200,000 MikroTik Routers Inject CoinHive Script in Users’ Web Traffic

Delaware, USA – August 3, 2018 – This week in Brazil, an unknown attacker started massive cryptojacking campaign targeted MikroTik routers, quickly spreading around the world. He exploits a zero-day vulnerability in MikroTik routers patched this April to inject Coinhive cryptocurrency mining script into web pages visited by users. The attacker knows these routers well and uses one of the public proofs-of-concept exploits to access them. Instead of using malware, he uses the device’s functionality to achieve persistence and inject the CoinHive script. At the beginning of the campaign, routers injected the script into all visited pages, but shortly the attacker left the CoinHive script only in a specially created on the router error page to cause less suspicion and attention.

Compromised routers have a scheduled task to download the latest version of the error page every 90 minutes and a backdoor account named “ftu”. This allows the attacker to maintain persistence and quickly change Coinhive key. At the moment, more than 200,000 routers are compromised and mine Monero all over the world. Even though the update was released a few months ago, there are more than a million routers vulnerable to this attack. ISPs often use MikroTik routers, and all of their users become victims of in-browser cryptomining so that any organization can’t feel safe. To uncover its signs, you can leverage ArcSight with Web Mining Detector use case, which tracks connections to the Coinhive platform and notifies the administrator about incidents.