Other 3,700 MikroTik Routers compromised in cryptoJacking campaigns
11.9.2018 securityaffairs Hacking

Thousands of unpatched MikroTik Routers are involved in new cryptocurrency mining campaigns.
The exploit code for the CVE-2018-14847 vulnerabilities is becoming a commodity in the hacking underground, just after its disclosure crooks started using it to compromise MikroTik routers. Thousands of unpatched devices are mining for cryptocurrency at the moment.

Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it is rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

Even if the vendor released a security fix that addresses the flaw in April, the number of not updated routers is still very high.

Last week. experts from the security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously, allowing attackers to hijack the traffic of the hacked devices.

The researchers scanned the Internet for vulnerable devices, they found more than 5,000K devices with open TCP/8291 port, and 1,200k of them are Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.

Summarizing, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit because owners have not updated them.

Most of the vulnerable devices are located in Brazil, Russia, and Indonesia.

Now the researcher Troy Mursch noticed that the infected MikroTik routers from the latest campaign open a websockets tunnel to a web browser mining script.

“According to the researcher, the malware increases the CPU activity of an infected MikroTik router to about 80% and maintain it at this level.” reads a blog post published by BleepingComputer.

“This gives room for other tasks to run and mine for cryptocurrency at the same time, in the hope of keeping the activity hidden from the user.”

Bad Packets Report
@bad_packets
· Sep 10, 2018
🚨 CRYPTOJACKING MALWARE DETECTED 🚨
URL: https://play.feesocrald[.]com/app.js
Opens websocket connections to: https://s*.soodatmish[.]com/@urlscanio archive: https://urlscan.io/responses/3cfaacb2e8ee3e7cc5685deddfed7e34bf7595015307fee64dd3c196c1d4ed93/ …

Currently found on 3,700+ compromised MikroTik routers: https://www.shodan.io/search?query=html%3A%22https%3A%2F%2Fplay.feesocrald.com%2Fapp.js%22 … pic.twitter.com/ykDxayszM5

View image on TwitterView image on Twitter

View image on TwitterView image on Twitter

Bad Packets Report
@bad_packets
Example infected #MikroTik router: http://187.45.50[.]35:8080
CPU usage of client throttled to ~80% pic.twitter.com/b7HOrEz6Tg

3:49 AM - Sep 10, 2018

4
See Bad Packets Report's other Tweets
Twitter Ads info and privacy
The expert found 3,734 devices by querying Shodan for MikroTik routers running the mining tool, and the number is growing.

Most of the routers compromised in this campaign are located in Brazil (2,612) and Argentina (480).

shodan MikroTik cryptojacking

Earlier August the researcher who goes online with the Twitter handle MalwareHunterBR uncovered a massive cryptojacking campaign that targeted MikroTik routers. The hackers aimed to change the configuration of the devices to inject a Coinhive cryptocurrency mining script in the users’ web traffic.

View image on TwitterView image on TwitterView image on Twitter

MalwareHunterBR
@MalwareHunterBR
another mass exploitation against @mikrotik_com devices (https://github.com/mrmtwoj/0day-mikrotik …)
hxxp://170.79.26.28/
CoinHive.Anonymous('hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3', #coinhive

1:31 PM - Jul 30, 2018
62
53 people are talking about this
Twitter Ads info and privacy
According to Trustwave the hackers were exploiting a zero-day flaw in the MikroTik routers to inject a copy of the Coinhive library in the traffic passing through the MikroTik routers.