August 9, 2018 By Douglas Bonderud 2 min read

Security researchers observed a massive router attack in which threat actors injected CoinHive into more than 170,000 devices to mine for Monero.

On July 31, security firm Trustwave detected a substantial CoinHive uptick in Brazil and identified MikroTik routers as the infection point upon further investigation. By leveraging CVE-2018-14847, a critical Winbox flaw, attackers gathered sensitive information from target devices and then gained unauthenticated, remote admin access. This tactic allowed them to inject the CoinHive script, which uses system resources to mine for Monero.

Although the majority of infected devices are in Brazil, this router attack is gaining ground internationally, according to the report.

The Impact of Malicious Miners

Crypto-mining malware eats up system resources, which could cause performance issues and compromise overall network security. For this attack, the threat actors targeted carrier-grade routers that serve global industries and internet service providers (ISPs) — increasing their reach and making it difficult for security teams to eliminate all CoinHive instances.

According to Trustwave, this impacts “users who are not directly connected to the infected router’s network,” as well as those who “visit websites behind these infected routers.”

As the campaign spread worldwide, researchers discovered a placeholder script (u113.src) and a backdoor account (called “ftu”) that allows attackers to send additional commands to any compromised device. Given the sheer number of devices impacted, the campaign could easily shift from simple crypto-mining to ransomware or complete network compromise.

How to Mitigate the Risk of a Router Attack

Although MikroTik released a fix for the flaw in April 2018, Trustwave noted that “there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there.”

To limit the risk of vulnerabilities like the Winbox bug, IBM Security experts recommend implementing strict patch management policies and prioritizing security information and event management (SIEM) logs — so routers don’t get lost in the mix. While routers may go several days without sending a log, it’s important to review these logs regularly to ensure that CoinHive or other malware hasn’t set up shop.

Mitigating the impact of cryptojacking malware also requires a more active and decisive approach to risk management. Given the rapidly expanding market share of coin mining tools, security experts advise organizations to reevaluate potential areas of risk, impacts of compromise and potential long-term effects to create an actionable risk mitigation plan.

Sources: Trustwave, MikroTik

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today