MikroTik routers have been enslaved in Coinhive's massive cryptography campaign

A massive cryptographic campaign has hit Brazil through the slavery of MikroTik routers and network devices.

According to Trustwave researcher Simon Kenin, a spike in Coinhive activity was detected on July 31 indicating that an operation of extraction of malicious cryptocurrency was

In a post on blog, the researcher said that after further review, it seems that MikroTik devices were involved.

MikroTik, based in Latvia, supplies network equipment to customers worldwide, and in this campaign Brazil is the main country that has been targeted

It may have been a strange coincidence and nothing but a set of compromises occurring at the same time, but Kenin noted that all the devices were using the same Coinkey in Coinhive.

Coinhive is a legitimate software used, generally in the browser, by websites to temporarily borrow the CPU power of visitors in order to extract the Monero virtual currency. The widespread abuse of the script has led to many antivirus and cybersecurity solutions companies blocking the script.

If the same site key was in use, this indicates that all the involved devices were extracting virtual gold on behalf of a controlling entity. [19659008] While Trustwave estimated that up to 175,000 devices were compromised, security researcher Troy Mursch told Bleeping Computer that a second sitekey is used by about 25,000 routers.

If both keys are the work of the same threat actor, this brings the count to around 200,000.

  screen-shot-2018-08-03-at-09-18-11.jpg

Trustwave

It took some excavations from the researcher to find a link between the peak activity of Coinhive and MikroTik. A router developed by the company has been traced to a compromise in a hospital in Brazil, and an individual who has had problems with his system published on Reddit at the same time in an attempt to find help provided some clues.

TechRepublic: Google killed Chrome extensions for cryptocurrency mining

The user in question stated that every web page visited injected the Coinhive code and did not help nor change DNS or removing the router.

this point, it is worth noting that MikroTik routers are used by Internet providers and large organizations and, in this case, it seems that the ISP of the Reddit author has compromised the router, as the hospital router I mentioned earlier in the post, "The researcher said.

A tweet by MalwareHunter then provided a link.

The message was about" mass exploitation "of MikroTik devices. However, the vulnerability that allowed enterprise routers to become slaves to cryptocurrencies was not a zero day, but it is CVE-2018-14847, a security bug that has an impact on Winbox for MikroTik. RouterOS.

Through version 6.42 of the software, remote attackers are able to ignore authentication and read arbitrary files by modifying a request to change a byte related to a session ID, based on the description of the vulnerability.

See also: The Pirate Bay becomes transparent: can cryptocurrency mining really replace ads?

The mass exploit of these devices is not necessarily the seller's fault. The bug has been fixed in a day of discovery, but unfortunately, hundreds of thousands of devices have not been updated, leaving them vulnerable to exploitation.

Using the security error, the threat actor responsible for the campaign was able to compromise the router to inject the Coinhive script into every Web page visited by the user.

It is not known who is behind the campaign, but Kenin believes that "the aggressor is clearly demonstrating a high level of understanding of how these MikroTik routers work."

CNET: Bitcoin in the wake of the South Korean exchange exchange

This campaign is another example of what can happen on a large scale if individual devices do not receive security updates.

In the same way that the Mirai IoT botnet has been able to destroy the devastation due to unprotected home devices, the individual security of our devices must be taken more seriously.

"Ransomware awareness has increased In many cases, even if an attacker can encrypt files, users have backups these days," the researcher added. "That means they do not pay the ransom as often as they used to, miners, on the other hand, can be much more stealthy, so while a single computer could make more money from the ransomware if the user ends up to pay, an attacker would prefer to use a stolen miner for a longer period of time. "

Previous and related coverage

Source link