170K+ MikroTik Routers Inject Cryptomining Script

A hacker has managed to compromise more than 170,000 routers made by MikroTik and uses them to inject browser-based cryptomining scripts into legitimate websites visited by users.

According to Simon Kenin, a researcher a Trustwave who spotted and investigated the attack, the hacker is breaking into routers by exploiting a vulnerability that MikroTik patched Apr. 23.

The flaw allows remote users to connect to MikroTik devices using a special management utility called Winbox and to bypass authentication. They can then download configuration files and decrypt the username and password for the administrative account, gaining full control.

In the attack investigated by Kenin, the attacker abuses MikroTik’s web proxy functionality to inject CoinHive cryptomining software into websites accessed by users who access the internet through networks served by the compromised routers.

MikroTik is a Latvian company that makes consumer and enterprise-grade routers and wireless networking devices. Its equipment is used by home users, companies, government agencies and ISPs around the world.

CoinHive is a service that allows website owners to earn money by using visitors’ computing resources to mine cryptocurrency. This is done by injecting a small piece of JavaScript into websites that then gets executed by visitors’ browsers.

Even though CoinHive’s creators market the service as a legitimate way for website owners to earn money, it is also frequently abused by hackers who inject the script along with their private key into other people’s websites without authorization.

Kenin found that a script with a particular CoinHive “sitekey” was being injected into web traffic by around 70,000 MikroTik routers, mostly from Brazil. However, the attack later expanded internationally and now affects more than 170,000 routers.

In some cases, the script is only injected into error pages. But in others, it’s injected into every single web page opened by users. Some users had their home or business routers hacked, but other injections are done through ISP routers and affect larger populations.

Kenin also found a website that served the CoinHive script and the attacker’s unique sitekey even when it was accessed from networks that didn’t use MikroTik routers. It turned out that the web server hosting the site was itself behind a compromised MikroTik router, so the attack works in both directions: It affects users behind MikroTik routers when they access websites on the internet, and internet users when they access websites hosted behind MikroTik routers.

“Let me emphasize how bad this attack is,” Kenin said in a blog post. “The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices. There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.”

This means that even if the attacker restricts his injections to error pages, he would still potentially get millions of daily loads of his CoinHive script and sitekey.

This attack highlights how important it is to keep router firmware updated and why such devices are an increasingly attractive target for hackers. Cybercriminals can use compromised routers to launch distributed denial-of-service (DDoS) attacks, spy on users’ web traffic and steal credentials, redirect users to phishing pages when they attempt to visit legitimate websites, attack other devices on their local network and, as seen in this case, hijack users’ browsers and computing resources for cryptomining.

If you have a MikroTik router that you haven’t updated, please do so as soon as possible. It’s also a good idea to reconfigure it and change the usernames and passwords for all of its accounts.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin