Security researchers observed a massive router attack in which threat actors injected CoinHive into over 170,000 devices to be extracted for Monero.
On July 31, the Trustwave security company detected a noticeable increase in CoinHive in Brazil and identified MikroTik routers as the infection to focus on further investigation. By exploiting CVE-2018-14847, a critical defect in Winbox, attackers collected confidential information from target devices and then obtained an unauthenticated remote administrator access. This tactic allowed them to inject the CoinHive script, which uses system resources for mine for Monero.
Although most of the infected devices are in Brazil, this router attack is gaining ground internationally, according to the report.
The Impact of Malicious Miners
Crypto-mining malware consumes system resources, which could cause performance problems and compromise overall network security. For this attack, threat actors have targeted carrier-grade routers serving global industries and Internet service providers (ISPs) – increasing their reach and making it difficult for security teams to eliminate all instances of CoinHive.
According to Trustwave, this impact "users who are not directly connected to the infected router network", as well as those who "visit websites behind these infected routers".
As the campaign spread throughout the world, researchers discovered a placeholder script (u113.src) and a backdoor account (called "ftu") that allows attackers to send additional commands to any compromised device. Given the large number of affected devices, the campaign could easily switch from simple cryptography to ransomware or complete network compromise.
How to mitigate the risk of a router attack
Although MikroTik issued a correction for the flaw in April 2018, Trustwave noted that "there are still hundreds of thousands of devices without a patch (and therefore vulnerable) still in circulation. "
To limit the risk of vulnerabilities such as the Winbox bug, IBM Security experts recommend the implementation of strict patch management policies and the priority of security information logs and event management (SIEM) – so routers are not lost in the mix. While routers may spend several days without sending a log, it is important to review these logs regularly to make sure that CoinHive or other malware has not set up the store.
Mitigating the impact of cryptographic malware also requires a more active and decisive approach to risk management. Given the rapid expansion of the market share of coin-mining tools, security experts advise organizations to reevaluate potential areas of risk, compromise impacts and potential long-term effects to create a risk mitigation plan.
Sources: Trustwave, MikroTik