MikroTik mining malware was first discovered in Brazil in August, but the virus continues to spread all over the world.
Malware that specifically targets MikroTik routers could now be affecting more than 415,000 routers across the globe, according to a December 2 tweet from VriesHD.
According to Bad Packets LLC, a security research firm, over 170,000 routers in Brazil were infected with the mining malware. Security researcher Simon Kenin of cybersecurity firm Trustwave described the attack by saying:
“The attacker wisely thought that instead of infecting small sites with few visitors or finding sophisticated ways to run malware on end-user computers, they would go straight to the source: carrier-grade router devices.”
According to Bad Packets, the epidemic is spreading – by August 25, those infected included approximately 3,000 MikroTik routers in the US containing IP addresses assigned to internet service provider Cogent. A month later, over 600 routers belonging to the Douglas County Public Utility District in north-central Washington state were infected with the malware. According to Bad Packets, “39% of the IPs they manage route to a compromised device.”
While research shows that Coinhive is used in most of these instances, during the largest “campaign” CoinImp software was used to infect 115,000 routers. And in September, Bad Packets pointed out more malware targeting MikroTik routers, this one injecting MinerAlt software, which is also used to mine Monero, to steal 30 percent of users’ mining revenue. To avoid detection, “Infected routers in this campaign are configured to throttle the CPU usage of the victims’ devices… the amount of CPU power used for mining cryptocurrency is roughly 80%.”
Although those responsible for the malware cleverly evolve their methods to circumvent discovery, there is at least one patch victims, internet services providers, and MikroTik router owners can use to protect themselves. And it was actually released way back in April. MikroTik’s patch, which intended to “fix a zero-day vulnerability exploited in the wild,” was released after users of a Czech tech forum spotted malware mining attacks targeting a remote management service called Winbox, which is included with all MikroTik routers. The service allows users to configure devices.
However, even after multiple warnings to upgrade routers – from MikroTik and security researchers, a large number of devices could still be infected. According to a September tweet from Bad Packets, several hundred thousand hosts were still compromised.
Describing the challenge of upgrading one’s router, a researcher from VriesHD told Hard Fork:
“Users should indeed update their routers, yet the biggest bunch of them are distributed by ISPs to their customers, who often have no idea what to do or how to update the router. Often these distributed routers are limited in their rights as well, not allowing users to update the routers themselves. The patch for this specific problem has been out for months and I’ve seen ISPs with thousands of infections disappear from the list. Unfortunately, it appears tons of ISPs simply won’t take action to mitigate the attacks.”