August 9, 2018 By Douglas Bonderud 2 min read

Security researchers observed a massive router attack in which threat actors injected CoinHive into more than 170,000 devices to mine for Monero.

On July 31, security firm Trustwave detected a substantial CoinHive uptick in Brazil and identified MikroTik routers as the infection point upon further investigation. By leveraging CVE-2018-14847, a critical Winbox flaw, attackers gathered sensitive information from target devices and then gained unauthenticated, remote admin access. This tactic allowed them to inject the CoinHive script, which uses system resources to mine for Monero.

Although the majority of infected devices are in Brazil, this router attack is gaining ground internationally, according to the report.

The Impact of Malicious Miners

Crypto-mining malware eats up system resources, which could cause performance issues and compromise overall network security. For this attack, the threat actors targeted carrier-grade routers that serve global industries and internet service providers (ISPs) — increasing their reach and making it difficult for security teams to eliminate all CoinHive instances.

According to Trustwave, this impacts “users who are not directly connected to the infected router’s network,” as well as those who “visit websites behind these infected routers.”

As the campaign spread worldwide, researchers discovered a placeholder script (u113.src) and a backdoor account (called “ftu”) that allows attackers to send additional commands to any compromised device. Given the sheer number of devices impacted, the campaign could easily shift from simple crypto-mining to ransomware or complete network compromise.

How to Mitigate the Risk of a Router Attack

Although MikroTik released a fix for the flaw in April 2018, Trustwave noted that “there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there.”

To limit the risk of vulnerabilities like the Winbox bug, IBM Security experts recommend implementing strict patch management policies and prioritizing security information and event management (SIEM) logs — so routers don’t get lost in the mix. While routers may go several days without sending a log, it’s important to review these logs regularly to ensure that CoinHive or other malware hasn’t set up shop.

Mitigating the impact of cryptojacking malware also requires a more active and decisive approach to risk management. Given the rapidly expanding market share of coin mining tools, security experts advise organizations to reevaluate potential areas of risk, impacts of compromise and potential long-term effects to create an actionable risk mitigation plan.

Sources: Trustwave, MikroTik

More from

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today