ISPs were patient zero in a mass cryptojacking wave hitting Brazil
That’s why you keep your software up to date.
Cryptojacking is when an attacker infects a victim’s computer with a cryptocurrency miner, and then leeches their computing power for profit. Cryptojackers quickly became the most popular type of malware by a very large margin, often striking victims through creative attack vectors where traditional malware would probably have failed.
It looks like someone recently found another brand new attack vector, targeting carrier-grade MikroTik routers used by ISPs through an old vulnerability, and from there infecting about 200,000 Internet connections across Brazil and elsewhere.
The infection was discovered by Simon Kenin of Trustwave SpiderLabs on 31 July, when he picked up an unusual surge of cryptojacking activity in Brazil. He quickly ruled out a coincidence by noticing that all the infections were MikroTik network devices, and that all of the mining returns were going to the same entity.
By following tales of frustrated users, Kenin concluded that the Internet service providers themselves had their MikroTik routers compromised to mine cryptocurrency through their customers’ computers.
The exploit itself was patched almost immediately after discovery on 23 April, but not all MikroTik users actually bothered to install the update.
By getting in through slacking ISPs, the attacker could hit all their customers, netting some 200,000 devices in short order. These devices would then inject the Coinhive mining script into web pages visited by the user.
To make matters worse for the victims, and better for the attacker, the attack also hit websites behind infected routers. So business servers using unpatched MikroTik routers and hosting websites would also cryptojack visitors to the site, regardless of where they were visiting from.
“Let me emphasise how bad this attack is,” Kenin wrote. “The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices. There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.
“Allegedly, each user would have initially gotten the CoinHive script regardless which site they visited. Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.
- Cryptocurrency: Why all eyes are on eToro’s USA launch
- Bitcoin weekly price analysis 28 August: Token’s value soars in face of ETF rejections
- Most global companies are slow to adopt blockchain technology: PwC survey
- Leading universities are offering a growing number of crypto courses: Coinbase
- Cryptocurrency: Value-making coins vs value-giving coins